aboutsummaryrefslogtreecommitdiff
path: root/hit
blob: 79b3cb7375a3d751db7cd1a18b207d715a6f58cf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/bin/bash
#
# hit: the git interceptor
#
# Main features:
#
# * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`.
# * Runs git through firejail if it's available.
#
# Other features to consider:
#
# * Check proper user/email config.
# * Automatically set git-flow when initializing a repository.
# * Automatically set git-hooks integration.
# * Allow hook whitelisting.
# * Implement global hooks like using a global init.templateDir config.
# * Check remote configuration.
# * Check hook tampering before doing anything in the repository, like removing hook permissions.

# Parameters
BASENAME="`basename $0`"

# Ensure we run a system-wide git installation and not any other script or alias
GIT="/usr/bin/git"

# Check for firejail
if which firejail &> /dev/null; then
  GIT="firejail $GIT"
fi

#
# Disable git hooks
#
# A malicious software that is being tested might put arbitrary scripts as git hooks.
# This can be an attack vector if you're testing the software inside a virtual machine but is
# handling git commands from the host machine (like when running vagrant).
#
# By disabling any hooks from being executed we mitigate a possible attack vector.
#
# References:
#
# https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason
# https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
if [ -d ".git/hooks" ]; then
  # Remove all exec permissions
  chmod -x .git/hooks/*

  # Rename all non-default hook files
  for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do
    echo "hit: renaming .git/hook/$file to .git/hook/$file.sample"
    mv .git/hooks/$file .git/hooks/$file.sample
  done
fi

#
# Call git
#
# https://stackoverflow.com/questions/1668649/how-to-keep-quotes-in-args/1669548#1669548
$GIT "$@"