#!/bin/bash # # hit: the git interceptor # # Main features: # # * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`. # * Runs git through firejail if it's available. # # Other features to consider: # # * Check proper user/email config. # * Automatically set git-flow when initializing a repository. # * Automatically set git-hooks integration. # * Allow for hook access control list (i.e, which hooks are allowed). # * Implement global hooks like using a global init.templateDir config. # * Check remote configuration. # * Check hook tampering before doing anything in the repository, like removing hook permissions. # Parameters BASENAME="`basename $0`" # Ensure we run a system-wide git installation and not any other script or alias GIT="/usr/bin/git" # Firejail profile is currently broken for our setup # Check for firejail #if which firejail &> /dev/null; then # GIT="firejail $GIT" #fi # # Disable git hooks # # A malicious software that is being tested might put arbitrary scripts as git hooks. # This can be an attack vector if you're testing the software inside a virtual machine but is # handling git commands from the host machine (like when running vagrant). # # By disabling any hooks from being executed we mitigate a possible attack vector. # # References: # # https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason # https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/ if [ -d ".git/hooks" ]; then # Remove all exec permissions chmod -x .git/hooks/* # Rename all non-default hook files for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do echo "hit: renaming .git/hook/$file to .git/hook/$file.sample" mv .git/hooks/$file .git/hooks/$file.sample done fi # # Call git # # https://stackoverflow.com/questions/1668649/how-to-keep-quotes-in-args/1669548#1669548 $GIT "$@"