Page MenuHomePhabricator
Create Task
Maniphest T259977

Document the security reasons for mounting .git as read-only
Open, LowPublic
Actions

Description

Imported from GitHub issue wikimedia/fresh#6.

Original task written on 16 Sep 2019 by @Krinkle:

Escalation of rights by having an npm script add a shell script to .git/hooks which survives the container and would not should up in "git status" and would execute on the host machine (outside the container) on future git commands like git commit or git pull.

Related Objects

Event Timeline

Krinkle created this task.Aug 8 2020, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2020, 3:03 PM
Krinkle triaged this task as Medium priority.Aug 8 2020, 3:03 PM
Legoktm subscribed.Dec 29 2020, 4:58 AM

In addition to writing to .git/hooks, you could also add malicious commits to a git repository that doesn't go through code review.

Krinkle added a comment.Sep 3 2021, 8:24 PM

Ref T290074: Users should run explicit commands to materialize schema versions, rather than using magic git hooks

Restricted Application added a project: Performance-Team. · View Herald TranscriptSep 3 2021, 8:24 PM
Krinkle moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.Sep 3 2021, 8:24 PM
Krinkle claimed this task.Sep 11 2021, 10:44 PM
Krinkle lowered the priority of this task from Medium to Low.Sep 19 2022, 5:55 PM
Krinkle removed Krinkle as the assignee of this task.Jan 22 2023, 10:25 PM
Krinkle added a project: good first task.
Krinkle mentioned this in T319532: fresnel "before" and "after" recordings unexpectedly share state.Jan 22 2023, 10:28 PM
larissagaulia moved this task from Backlog: Maintenance, non-prioritized to To-do: Goals, prioritized next 4 Quarters on the Performance-Team board.Jan 23 2023, 9:11 AM
Krinkle moved this task from To-do: Goals, prioritized next 4 Quarters to Backlog: Future Goals, non-prioritized on the Performance-Team board.Jun 15 2023, 5:30 PM
Krinkle removed a project: Performance-Team.Aug 17 2023, 1:36 PM
Krinkle added a subscriber: hashar.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL