While #xz has people talking about issues with binary test files etc in source repos, and issues with using tarballs that can vary from git, doing a `git clone`
and building in there is *also* exposed to a huge amount of binary data.

Including binary data hidden inside #git commit objects, for example. Also git blobs are zlib compressed so might be possible to smuggle in extra binary data at the end. Possibly also at the end of tree objects, I don't remember if git checks for that.

Follow

@joeyh Doesn't git have a length field for each blob? That would prevent lots of kinds of abuse. Most of the checks require `git fsck` though, and that isn't run by default. I recommend requiring it in each machine's global git config, e.g. git config --global transfer.fsckObjects=true

@eighthave @joeyh I just checked, yes, blobs have a length prepended, and it uses raw deflate, so gzip comment shenaningans either

@mirabilos @eighthave iirc tree objects have a length defined as part of the object, so separate from the blob length and it may be possible to stash something there

commit objects after \0 is the other one I remember was a place to put some data

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml