diff options
author | Taylor Blau <me@ttaylorr.com> | 2022-07-29 22:22:13 +0300 |
---|---|---|
committer | Taylor Blau <me@ttaylorr.com> | 2022-10-01 07:23:38 +0300 |
commit | a1d4f67c12ac172f835e6d5e4e0a197075e2146b (patch) | |
tree | e2cca7e4b66b8437356b37f6f431f2a94fa365eb /transport.c | |
parent | f4a32a550f9d40471fb42ed1e5c8612dfe4a83b1 (diff) |
transport: make `protocol.file.allow` be "user" by default
An earlier patch discussed and fixed a scenario where Git could be used
as a vector to exfiltrate sensitive data through a Docker container when
a potential victim clones a suspicious repository with local submodules
that contain symlinks.
That security hole has since been plugged, but a similar one still
exists. Instead of convincing a would-be victim to clone an embedded
submodule via the "file" protocol, an attacker could convince an
individual to clone a repository that has a submodule pointing to a
valid path on the victim's filesystem.
For example, if an individual (with username "foo") has their home
directory ("/home/foo") stored as a Git repository, then an attacker
could exfiltrate data by convincing a victim to clone a malicious
repository containing a submodule pointing at "/home/foo/.git" with
`--recurse-submodules`. Doing so would expose any sensitive contents in
stored in "/home/foo" tracked in Git.
For systems (such as Docker) that consider everything outside of the
immediate top-level working directory containing a Dockerfile as
inaccessible to the container (with the exception of volume mounts, and
so on), this is a violation of trust by exposing unexpected contents in
the working copy.
To mitigate the likelihood of this kind of attack, adjust the "file://"
protocol's default policy to be "user" to prevent commands that execute
without user input (including recursive submodule initialization) from
taking place by default.
Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 'transport.c')
-rw-r--r-- | transport.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/transport.c b/transport.c index 679a35e7c1..d2e3a90de1 100644 --- a/transport.c +++ b/transport.c @@ -964,8 +964,7 @@ static enum protocol_allow_config get_protocol_config(const char *type) if (!strcmp(type, "http") || !strcmp(type, "https") || !strcmp(type, "git") || - !strcmp(type, "ssh") || - !strcmp(type, "file")) + !strcmp(type, "ssh")) return PROTOCOL_ALLOW_ALWAYS; /* known scary; err on the side of caution */ |