I was wondering : What if I had a "malicious" GIT repository who can
"inject" code  via git hooks mechanism : someone clone my repo and
some malicious code is executed when a certain GIT hook is triggered
(for example on commit ("prepare-commit-msg' hook)) ? What if I email
/etc/passwd for exemple ?

Does GIT's hooks security is assured by the GIT user privileges ? but
git user can still read /etc/passwd and make something fun with it :)

Is it by the trust relationship ? I mean, If I clone a repo, I
certainly knew the source and I trusted it ... isn't it ?
But if I have a website with file injection vulnerability and I can
replace the git hook script with another (malicious) content ...

I'm maybe "paranoid" :) but I'm just asking the question ... just for
my curiosity's sake :)

Thanks for your comments and explanations :)


Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
percent imagination.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to