(dgl.cx)

348 points dgl | 5 comments | 08 Jul 25 17:48 UTC | HN request time: 0.845s | source

Show context

deanc ◴[08 Jul 25 18:30 UTC] No.44502682[source]▶

Would homebrew itself be problematic here? Does it do recursive cloning?

At least a cursory glance at the repo suggests it might: https://github.com/Homebrew/brew/blob/700d67a85e0129ab8a893f...

replies(1): >>44503141 #

1. msgodel ◴[08 Jul 25 19:20 UTC] No.44503141[source]▶

>>44502682 #

It would be odd if it didn't. Although the goal of homebrew is to execute the code in the repo.

The only situation where the RCE here is a problem is if you clone github repos containing data you don't want to execute. That's fairly unusual.

replies(2): >>44503420 #>>44504144 #

2. leni536 ◴[08 Jul 25 19:52 UTC] No.44503420[source]▶

>>44503141 (TP) #

The question is whether recursive submodule checkout happens after some integrity/signature validation or before. The RCE can be an issue in the latter case.

replies(1): >>44506701 #

3. ◴[08 Jul 25 21:16 UTC] No.44504144[source]▶

>>44503141 (TP) #

4. johncolanduoni ◴[09 Jul 25 05:51 UTC] No.44506701[source]▶

>>44503420 #

There would also have to be a compromise of the transport (i.e. a MITM of HTTPS or SSH) to use this in most practical scenarios.

replies(1): >>44507557 #

5. leni536 ◴[09 Jul 25 08:30 UTC] No.44507557{3}[source]▶

>>44506701 #

It still weakens the security, otherwise why bother with integrity/signature checks if you trust the git remote?

↑

Breaking Git with a carriage return and cloning RCE