From f353440268647fc4d600ac71f0706cc9e54c2168 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 16 Sep 2017 18:57:16 -0300 Subject: Adds hit, the git interceptor --- commit | 17 ++++++++++------- commit-updates | 5 ++++- git | 1 + hit | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 8 deletions(-) create mode 120000 git create mode 100755 hit diff --git a/commit b/commit index e7026b6..0b998b0 100755 --- a/commit +++ b/commit @@ -6,6 +6,9 @@ # Parameters ARGS="$*" +# Git application we use +GIT="hit" + # Check if a file is inside a git repository # Usage: git_folder function git_folder { @@ -51,7 +54,7 @@ function is_git { elif [ -d "$1/.git" ]; then return else - ( cd "$1" && git status &> /dev/null ) + ( cd "$1" && $GIT status &> /dev/null ) if [ "$?" != "128" ]; then return @@ -77,12 +80,12 @@ function is_svn { function git_push { if [ "`git remote | wc -l`" == "0" ]; then return - elif git remote | grep -q 'all'; then - git push all --all + elif $GIT remote | grep -q 'all'; then + $GIT push all --all #elif git remote | grep -q 'origin'; then # echo "Please configure the 'all' remote first." # exit 1 - # #git push --all + # #$GIT push --all fi } @@ -130,13 +133,13 @@ function git_commit { # If there are no staged files, commit everything. # Otherwise commit just what was staged - if git status --short | grep -q "^[AM]"; then + if $GIT status --short | grep -q "^[AM]"; then flag="" else flag="-a" fi - git commit $flag -m "$params" + $GIT commit $flag -m "$params" } # Main @@ -150,6 +153,6 @@ if [ ! -z "$1" ]; then git_user git_commit $* git_push - git fetch --all + $GIT fetch --all fi fi diff --git a/commit-updates b/commit-updates index 93faf12..2a71c1d 100755 --- a/commit-updates +++ b/commit-updates @@ -6,6 +6,9 @@ # Parameters PROJECT="$1" +# Git application we use +GIT="hit" + # Check if param is a project if [ ! -z "$PROJECT" ] && [ -z "$2" ] && ( cd $PROJECT &> /dev/null ); then if ! git status &> /dev/null; then @@ -21,7 +24,7 @@ fi ARGS="$*" # Simply update commit -if git status &> /dev/null; then +if $GIT status &> /dev/null; then if [ ! -z "$ARGS" ]; then commit "Updates $ARGS" else diff --git a/git b/git new file mode 120000 index 0000000..7d20918 --- /dev/null +++ b/git @@ -0,0 +1 @@ +hit \ No newline at end of file diff --git a/hit b/hit new file mode 100755 index 0000000..7f24226 --- /dev/null +++ b/hit @@ -0,0 +1,56 @@ +#!/bin/bash +# +# hit: the git interceptor +# +# Main features: +# +# * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`. +# +# Other features to consider: +# +# * Checks proper user/email config. +# * Automatically sets git-flow when initializing a repository. +# * Automatically sets git-hooks integration. +# * Implements global hooks. +# * Checks remote configuration. +# * Checks hook tampering before doing anything in the repository, like removing hook permissions + +# Parameters +BASENAME="`basename $0`" + +# Ensure we run a system-wide git installation and not any other script or alias +GIT="/usr/bin/git" + +# Check for firejail +if which firejail &> /dev/null; then + GIT="firejail $GIT" +fi + +# +# Disable git hooks +# +# A malicious software that is being tested might put arbitrary scripts as git hooks. +# This can be an attack vector if you're testing the software inside a virtual machine but is +# handling git commands from the host machine (like when running vagrant). +# +# By disabling any hooks from being execute we mitigate a possible attack vector. +# +# References: +# +# https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason +# https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/ +if [ -d ".git/hooks" ]; then + # Remove all exec permissions + chmod -x .git/hooks/* + + # Rename all non-default hook files + for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do + echo "hit: renaming .git/hook/$file to .git/hook/$file.sample" + mv .git/hooks/$file .git/hooks/$file.sample + done +fi + +# +# Call git +# +$GIT $* -- cgit v1.2.3