出于安全原因，如何禁用GIT挂钩? [英] How to disable GIT hooks for security reason?

问题描述

如果克隆git存储库，出于安全原因，我不会克隆这些钩子.但是，如果我通过其他方式(例如ZIP文件)获得存储库，该怎么办?在我不完全信任的存储库上运行GIT命令时，如何确保没有执行钩子?

If you clone a git repository, the hooks are not cloned for security reasons I suppose. But what if I get a repository by an other way like a ZIP file? How can I make sure there is no hook executed when I run GIT commands on a repository which I don't fully trust?

我能想到的是删除.git/hook目录中所有文件的可执行标志.但是根据文档，挂钩通常仅存储在此目录中，因此可能需要先清理其他地方. (如何更改挂钩目录?)

What I can think of, is to remove the executable flag of all files in the .git/hook directory. But according to the documentation, the hooks are only normally stored in this directory so there might be other places to clean first. (How to change the hook directory by the way?)

作为一个例子，我关注的文件是本次比赛的文件:

As an example, I'm concerned about a file like the one from this contest:

http://hackyeaster.hacking-lab.com/hackyeaster/challenge12.html

推荐答案

您是正确的，如果通过克隆以外的其他方式收到.git目录，则该目录可能包含恶意软件，包括挂钩. (不过，如果您习惯于从其他地方下载任意代码而不进行检查，则比git钩子有更多的风险.)

You are correct that if you receive a .git directory by some means other than cloning it, it might contain malware, including hooks. (If you're in the habit of downloading arbitrary code from elsewhere and not inspecting it, though, you have more risks than just git hooks.)

事实证明，较旧版本的git中存在一个错误，该错误无法禁止名称为.Git的文件(树条目).如果您使用区分大小写的文件系统将这样的存储库克隆到Linux或Unix机器上，就可以了，但是如果您使用区分大小写的 in 文件系统将其克隆到Windows或Mac系统上(或在Linux/Unix机器上设置这样的文件系统)，名称.Git与名称.git相匹配，并且这些较旧版本的git会继续写到.git；因此，即使您使用标准的git克隆机制，这也是有人可以将其偷偷潜入系统的一种方式.

As it turns out, there's a bug in older versions of git that fails to prohibit files (tree entries) with names like .Git. If you clone such a repository onto a Linux or Unix box using a case-sensitive file system, you are OK, but if you clone onto a Windows or Mac system using a case-insensitive file system (or set up such a file system on your Linux/Unix box), the name .Git matches the name .git and these older version of git will go ahead and write to .git; so this is a way someone can sneak things into your system even if you use the standard git cloning mechanism.

在2.9之前的Git版本中，关闭.git/hooks/* 中的执行位足以停止挂钩的运行(因为没有其他挂钩位置).在Git 2.9或更高版本中，您-或拥有配置文件的任何人-都可以配置core.hooksPath变量以添加可以从其运行钩子的其他位置，因此仅此一项是不够的.通常，每当您从其他地方获取未经验证的代码时，都应仔细检查它.即使在使用经过安全认证的签名软件(例如Apple的Mac版软件更新)时，您也可能要谨慎一些，因为确实会发生错误.

In Git versions before 2.9, turning off the execution bit in .git/hooks/* will suffice to stop hooks from running (as there are no alternative hook locations). In Git 2.9 or later, you—or whoever owns your configuration file—can configure a core.hooksPath variable to add additional locations from which hooks could run, so this alone is not sufficient. As a general rule, whenever you obtain un-verified code from elsewhere, you should inspect it carefully. Even when using security-certificate signed software (as in, e.g., Apple's software updates for Mac), you might want to use some degree of caution, as mistakes do happen.

这篇关于出于安全原因，如何禁用GIT挂钩?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！