Git: Malicious repositories can execute remote cod...

[minitech]

There is a huge difference between “clone a repo” and “clone a repo and run code from it”.

[kazinator]

In spite of my tongue-in-cheek statement, I get it.

It's huge in the context of non-programming uses of Git. If some people are just sharing some text documents with Git, then it's a big deal.

This is likely on the rise.

E.g. if you look at a site like Github, there is a lot of non-code content in it. Some people stash that content, and other people believe that content to just be harmless files that will never perpetrate an exploit just from being cloned.

[minitech]

It’s a big deal regardless of whether documents or code are being stored. Cloning a repo should not open you up to RCE.

[doctor_eval]

Agreed, I frequently clone repos so I can look at the code in a terminal with grep, with no intention of ever building it.

[jtsiskin]

Technically yes, but I can’t think of the last time I cloned a repo without then running code from it...

[minitech]

Well, I clone repos to inspect code all the time, and when I run code, it’s usually not with the same permissions as the corresponding `git clone`. Maybe I should be better about sandboxing Git…

[friendzis]

Depends on how you define "running code".

  1. Download container description (Dockerfile)
  2. Upon image build it "compiles things" (e.g. processes/assembles javascript)
  3. Build fails, because it pulls architecture incompatible library (or does not pull architecture mandated library)
  4. Fix build scripts, rebuild container image
  5. Verify container
  6. Pull repo
  7. Reproduce changes, commit
  8. Push

Nothing apart clone-edit-push happens on the repo. The code can be executed on a remote, hardened, isolated system. With proliferation of containers I guess this scenario will become more and more common among ops people.

[0x0]

Any html/js web frontend project that runs in a browser?

[IshKebab]

Sure I'll just `npm install`.... damnit! Hacked again.