search

arthaud / git-dumper

A tool to dump a git repository from a website
MIT License
1.69k stars 235 forks source link

Information about the disclaimer #38

Closed LucasVanHaaren closed 9 months ago

LucasVanHaaren commented 9 months ago

Hello,

Reading the README, I'm wondering why and how using this tool to a attacker controller repo can lead to a remote code execution on my machine ?

I've read the code but I don't see how this can happen. Does anyone can elaborate on how to achieve this ? If someone have a Poc it will be awesome.

cf. the disclaimer :

Use this software at your own risk!

You should know that if the repository you are downloading is controlled by an attacker, this could lead to remote code execution on your machine.

Thanks ! :smiley:

arthaud commented 9 months ago

See https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md The problem is not in git-dumper itself. The problem is calling 'git checkout' (which we do) on untrusted repositories. Apparently an attacker can craft a repository with a nested repository and a .git/config file that defines 'core.fsmonitor' and it will call it.

LucasVanHaaren commented 9 months ago

Wow okay, thank you so much for the information I had no idea !