A popular distributed revision control system. Built for speed, data integrity and with support for distributed, non-linear workflows.
Questions tagged [git]
107 questions
5
votes
2 answers
Do Git Commit signatures prevent repository modification?
Git commit signatures seems the signature signs the commit message, but I can't find much information on what the signatures actually solve, and don't understand the git architecture.
If I have a repository which began unsigned but moved to a…
throwaway124215
- 51
- 1
5
votes
3 answers
In what ways is Git a security measure?
When the boss asks why Git is good, can I justify using security as one of the reasons?
Under Git, it's easy to track changes. Maliciously altered files can be revealed with a simple 'git diff' on the command line.
Even if attackers were able to do…
Buttle Butkus
- 169
- 7
4
votes
1 answer
How secure is a git commit hash (sha1)?
Consider the following scenario:
Someone, using a good version of git, issues a git clone followed by a git checkout of some commit hash (the 40 character hexadecimal).
To clarify, assume Bob does the following on a secure machine:
$ git clone…
Carlo Wood
- 141
- 6
4
votes
2 answers
Deleted commit still visible from GitLab web interface, exposing sensitive data
Some weeks ago I accidentally committed a configuration file containing some passwords and I pushed it on a GitLab remote managed by my company.
After that I used BFG Repo-Cleaner to remove the passwords from the history.
After the clean I…
xonya
- 143
- 1
- 5
4
votes
3 answers
Is it safe storing revision history on production servers?
Currently we use at my workplace svn export . This takes a long time and I have been playing with the idea to keep the revision history on the production server so we can simply fetch the updates.
In practice I was thinking to have a…
Johan Hanssen Seferidis
- 257
- 1
- 8
1
vote
1 answer
Can you alter a Git repository without anyone noticing it?
Consider this scenario:
You have a central Git repository online (e.g. on Github, GitLab, etc.)
User1 and User2 have access to that repository
User1 is malicious and changes some files in a past commit (he does not add a new, normal commit)
User1…
collimarco
- 153
- 4
1
vote
1 answer
How can I improve the security of my protected branches in GitHub/GitLab?
Many online Git hosting services (such as GitHub and GitLab) allow you to 'protect' certain branches so that only project administrators can modify them.
The purpose of this is to allow non-admin contributors to work in other branches without…
jamieweb
- 435
- 1
- 3
- 11
1
vote
2 answers
Blindly downloading a git repo: specifically, generating .pack files
I'm pen-testing an application with a bug bounty program.
I've found a .git folder which just gives a 403 forbidden error.
However, when browsing to directories such as dodgy.com/.git/config, the file will download.
I discovered this a few hours ago…
0lly
- 66
- 5
1
vote
0 answers
Would it be possible to construct a generic security advisory mechanism for git repositories?
It seems to have become easier, and thus more common for software to be deployed by simply checking it out of a git repository, rather than going via release versions. This makes it difficult to know what upstream security issues might exist.
I…
mc0e
- 491
- 2
- 14
1
vote
1 answer
What happens when I send a git request to a Malicious Site?
So I mistyped a command. I wanted to do the Angular tutorial, so I did the following:
git clone --depth=14 https://github.om/angular/angular-phonecat.git
There was a typo when I used github.om instead of github.com.
Curious, I visited the site.…
Jared Hooper
- 113
- 3
0
votes
2 answers
Is git sparse-checkout secure?
I'm a software developer and our entire code of the project is stored in a single git repository. A small part of this now needs to be made available to a customer. He does not need to push to the repo nor does he need to pull currently. I would…
SeVe
- 103
- 2
0
votes
1 answer
Can we detect risk signals or potential vulnerabilities in git meta-data?
I'm wondering whether git commit metadata can shred light on potential risk signals or vulnerabilities.
Henry Hinnefeld has investigated this, here but this seems to be a way of detecting vulnerabilities which already have been spotted by other…
0
votes
3 answers
Does Git usage raise a valid security concern? If so, how?
This is about pure-and-simple Git; NOT the security concerns of using third party services like Github or Gitlab.
While working on a closed source security project, during a meeting, one of the senior developers on a sister team implied that Git…
NonCreature0714
- 117
- 3