undefined | Better HN

0 pointsraesene98y ago0 comments

Oh yeah I'm not saying don't upgrade, what I'm saying is that you're already cloning a repo. presumably to run the code therein.

Given that running the code therein (if the owner of the repo. is malicious) will hurt you, this doesn't do too much apart from have it happen earlier on :)

I guess one scenario where it could be a problem is if you were planning to clone untrusted code and read it all carefully before running it.

0 comments

3 comments · 2 top-level

lazaroclapp8y ago· 1 in thread

Suppose that you are, say, a security researcher, running purely static analysis tools on the code from every git repo that you can crawl, specifically looking for malware or common bugs without running the code (simple example: you are grep-ing for AWS keys and other secrets that should never be committed to a repo). This would be unexpected and very dangerous behavior in that setting.

Sure, in theory, "unexpected and dangerous behavior" is par the course for security research and you isolate even data that you don't intend to execute if you suspect it is malicious. But, in practice, this is an easy mistake to make.

As another example, consider an automatic git mirror, or whatever the internal GitHub/GitLab/Bitbucket infra might do to move repos around, without intending to execute the code.

mclehman8y ago

Thank you for posting this. I found myself mostly agreeing with the user you replied to, even though I myself am crawling and cloning a large number of git repos to do some static analysis work on them. That was a niche attack vector that I'm clearly exposed to, and somehow I still wasn't seeing it.

phendrenad28y ago

I’d guess that only 50% of times that people git pull a repo, they eventually execute it. I know that’s the figure for me personally - I pull a lot of projects down locally so i can open them in my IDE and study how they work - never to be executed.

j / k navigate · click thread line to collapse