search

martinvonz / jj

A Git-compatible VCS that is both simple and powerful
https://martinvonz.github.io/jj/
Apache License 2.0
8.26k stars 280 forks source link

Implement repo ownership checks #3303

Open khionu opened 6 months ago

khionu commented 6 months ago

Git has a couple config variables around repositories that aren't owned by the current user. This speaks to a threat model that we should consider.

By default, Git will refuse to even parse a Git config of a repository owned by someone else, let alone run its hooks, and this config setting allows users to specify exceptions

The main question is, should we mirror/adopt this behaviour?

Update

While we might not run githooks, we might still run into the same security consideration as in the CVE linked below. Ergo, this is a prudent feature to add as a security measure

poliorcetics commented 6 months ago

The history of the feature seems linked to a cve (https://github.blog/2022-04-12-git-security-vulnerability-announced/#cve-2022-24765) so having something similar sounds good

khionu commented 6 months ago

Oh yikes. I was wondering but I hadn't figured that far into it.

khionu commented 5 months ago

I think this should be implemented, so adjusting accordingly

yuja commented 5 months ago

Related: #1595 (I personally like the idea of optionally disabling in-repo config)