Google Git
Sign in
googlers / jrn / git / a1d4f67c12ac172f835e6d5e4e0a197075e2146b^! / . / Documentation / config / protocol.txt
commita1d4f67c12ac172f835e6d5e4e0a197075e2146b[log] [tgz]
authorTaylor Blau <me@ttaylorr.com>Fri Jul 29 15:22:13 2022 -0400
committerTaylor Blau <me@ttaylorr.com>Sat Oct 01 00:23:38 2022 -0400
treee2cca7e4b66b8437356b37f6f431f2a94fa365eb
parentf4a32a550f9d40471fb42ed1e5c8612dfe4a83b1 [diff] [blame]
transport: make `protocol.file.allow` be "user" by default

An earlier patch discussed and fixed a scenario where Git could be used
as a vector to exfiltrate sensitive data through a Docker container when
a potential victim clones a suspicious repository with local submodules
that contain symlinks.

That security hole has since been plugged, but a similar one still
exists.  Instead of convincing a would-be victim to clone an embedded
submodule via the "file" protocol, an attacker could convince an
individual to clone a repository that has a submodule pointing to a
valid path on the victim's filesystem.

For example, if an individual (with username "foo") has their home
directory ("/home/foo") stored as a Git repository, then an attacker
could exfiltrate data by convincing a victim to clone a malicious
repository containing a submodule pointing at "/home/foo/.git" with
`--recurse-submodules`. Doing so would expose any sensitive contents in
stored in "/home/foo" tracked in Git.

For systems (such as Docker) that consider everything outside of the
immediate top-level working directory containing a Dockerfile as
inaccessible to the container (with the exception of volume mounts, and
so on), this is a violation of trust by exposing unexpected contents in
the working copy.

To mitigate the likelihood of this kind of attack, adjust the "file://"
protocol's default policy to be "user" to prevent commands that execute
without user input (including recursive submodule initialization) from
taking place by default.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Taylor Blau <me@ttaylorr.com>

diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt
index 756591d..79938913 100644
--- a/Documentation/config/protocol.txt
+++ b/Documentation/config/protocol.txt

@@ -1,10 +1,10 @@
 protocol.allow::
 	If set, provide a user defined default policy for all protocols which
 	don't explicitly have a policy (`protocol.<name>.allow`).  By default,
-	if unset, known-safe protocols (http, https, git, ssh, file) have a
+	if unset, known-safe protocols (http, https, git, ssh) have a
 	default policy of `always`, known-dangerous protocols (ext) have a
-	default policy of `never`, and all other protocols have a default
-	policy of `user`.  Supported policies:
+	default policy of `never`, and all other protocols (including file)
+	have a default policy of `user`.  Supported policies:
 +
 --