Hacker News new | ask | show | jobs
by trampi 3960 days ago
"XSS has nothing to do with {my website framework}, it just applies javascript that work anywhere in a compatible browser."

Actually it has something to do with git. Git should strip or escape the user input before displaying. XSS and SQL Injections are the same kind of issue -> do not trust the user input and escape the input before interaction with it happens.
2 comments
couchand 3960 days ago
Why would git strip formatting from my message? If my team wants colorful messages why should git be the one to say we're wrong?

Git commit messages are used for lots of different things, but at the end of the day it's just another piece of data included in a hash in a content-addressable file system.

If you're doing something with that tool where including formatting like this would be considered a vulnerability, it's on you to take care of that. It's exactly the same with any other bug or exploit in your codebase: it's not git's fault that you committed it.

link
trampi 3960 days ago
If you need to have this feature, then you should have to opt in (git config for example). But i have very good reasons to say that the default should properly escape the messages before printing them. I would not like it to clone a repo from github and having "git log" let my terminal go crazy. You unterstand, that this issue can have bigger impact than blinking commit messages, right?
link
couchand 3960 days ago
Terminal attacks are not new and the solution isn't to expect every individual program to escape terminal escape codes.

    The ideal solution is to sanitize all data before displaying it
    on your terminal, however without a custom terminal application
    or data filter, you can't guarantee that every tool you use on
    the command-line is going to strip escape sequences. The
    responsibility should rest on the actual terminal emulator; any
    features that allow file or command-line access should be
    disabled by default and more attention should be paid to new
    features that implement any use of escape sequences. [0]
Are you cloning untrusted repositories to your computer and running git log blindly?

[0]: http://marc.info/?l=bugtraq&m=104612710031920

link
tetrep 3960 days ago
no?

I mean, it would be super nice for your terminal emulator to just automagically filter out escape sequences when you, the user, do not want them and to allow them for programs that you do. a whitelist would work but would be super annoying to actually verify as so many programs output things from so many different inputs. it seems like programs themselves should decide if they need to output arbitrary data and, in cases where they don't, like git, they can filter it.

link
couchand 3960 days ago
Automagically? The terminal emulator's job is to parse and interpret those sequences.
link
tempodox 3960 days ago
I see your point, and I agree. The OP didn't mention that aspect, but yes, git is darned crappy software, repeating stupid mistakes that are long forgotten elsewhere. Some developers don't seem to be learning from past mistakes.
link
wdewind 3960 days ago
> git is darned crappy software

Let's not go crazy now.

link