What happens when I send a git request to a Malicious Site?

Question

So I mistyped a command. I wanted to do the Angular tutorial, so I did the following:

git clone --depth=14 https://github.om/angular/angular-phonecat.git

There was a typo when I used github.om instead of github.com.

Curious, I visited the site. I'm on Mac OS X // Safari, so it did one of those phony "You have a virus! Have an inescapable dialog box."

So this made me wonder... What happens when you send a git request to a malicious site? What sort of things can they learn about your system, your user information, etc.?

Also, what if I used sudo to complete this command -- let's say that I was on a guest account. What else could they learn from that? Does that change anything?

Side note: If you were cloning over SSH, it would've asked you to confirm the host key, which has the side effect of telling you you're connecting to the wrong site. — user253751, Jan 11 '16 at 00:55
I am too tired to write a full answer, but everything you need to know is in the protocol specification. TL;DR: The worst that could happen is that it pushes you malicious sourcecode, hoping that you compile and run it. — Philipp, Jan 11 '16 at 01:01

score 1 · Accepted Answer · answered Jan 18 '16 at 18:54

The worst that can happen, is that you may have a security bug you don't know about in your git client, and the remote you accidentally connected to may host a specially crafted repository to take advantage of it, and you will be pwned.

Unlikely? Yes. But there has been at least one git vulnerability allowing remote code execution during a clone in the past. And git, like any network-enabled software of sufficient complexity, has had its share of security vulnerabilities.

If you're running with sudo, obviously remote code execution could be far worse than normal. So maybe avoid doing that in the future if you can.

What happens when I send a git request to a Malicious Site?

1 Answers1