Adds hit, the git interceptor

1 files changed, 56 insertions, 0 deletions

diff --git a/hit b/hit
new file mode 100755
index 0000000..7f24226
--- /dev/null
+++ b/hit
@@ -0,0 +1,56 @@
+#!/bin/bash
+#
+# hit: the git interceptor
+#
+# Main features:
+#
+# * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`.
+#
+# Other features to consider:
+#
+# * Checks proper user/email config.
+# * Automatically sets git-flow when initializing a repository.
+# * Automatically sets git-hooks integration.
+# * Implements global hooks.
+# * Checks remote configuration.
+# * Checks hook tampering before doing anything in the repository, like removing hook permissions
+
+# Parameters
+BASENAME="`basename $0`"
+
+# Ensure we run a system-wide git installation and not any other script or alias
+GIT="/usr/bin/git"
+
+# Check for firejail
+if which firejail &> /dev/null; then
+  GIT="firejail $GIT"
+fi
+
+#
+# Disable git hooks
+#
+# A malicious software that is being tested might put arbitrary scripts as git hooks.
+# This can be an attack vector if you're testing the software inside a virtual machine but is
+# handling git commands from the host machine (like when running vagrant).
+#
+# By disabling any hooks from being execute we mitigate a possible attack vector.
+#
+# References:
+#
+# https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason
+# https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
+if [ -d ".git/hooks" ]; then
+  # Remove all exec permissions
+  chmod -x .git/hooks/*
+
+  # Rename all non-default hook files
+  for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do
+    echo "hit: renaming .git/hook/$file to .git/hook/$file.sample"
+    mv .git/hooks/$file .git/hooks/$file.sample
+  done
+fi
+
+#
+# Call git
+#
+$GIT $*