diff options
Diffstat (limited to 'hit')
-rwxr-xr-x | hit | 56 |
1 files changed, 56 insertions, 0 deletions
@@ -0,0 +1,56 @@ +#!/bin/bash +# +# hit: the git interceptor +# +# Main features: +# +# * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`. +# +# Other features to consider: +# +# * Checks proper user/email config. +# * Automatically sets git-flow when initializing a repository. +# * Automatically sets git-hooks integration. +# * Implements global hooks. +# * Checks remote configuration. +# * Checks hook tampering before doing anything in the repository, like removing hook permissions + +# Parameters +BASENAME="`basename $0`" + +# Ensure we run a system-wide git installation and not any other script or alias +GIT="/usr/bin/git" + +# Check for firejail +if which firejail &> /dev/null; then + GIT="firejail $GIT" +fi + +# +# Disable git hooks +# +# A malicious software that is being tested might put arbitrary scripts as git hooks. +# This can be an attack vector if you're testing the software inside a virtual machine but is +# handling git commands from the host machine (like when running vagrant). +# +# By disabling any hooks from being execute we mitigate a possible attack vector. +# +# References: +# +# https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason +# https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/ +if [ -d ".git/hooks" ]; then + # Remove all exec permissions + chmod -x .git/hooks/* + + # Rename all non-default hook files + for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do + echo "hit: renaming .git/hook/$file to .git/hook/$file.sample" + mv .git/hooks/$file .git/hooks/$file.sample + done +fi + +# +# Call git +# +$GIT $* |