Imagine this. Downloading some code on your computer (just downloading it) can run arbitrary code. Now imagine that this is what (can) happen every time you download a Git repository. Feel uncomfortable yet?
It's a useful feature. You can configure it to run linting before committing, for example. There are many points where hooks can be run, from committing, to pushing, to pulling, to even cloning!
The repository you clone can run a hook without any other interaction?
It is also run after git-clone, unless the
-n) option is used. The first parameter given to the hook is the null-ref, the second the ref of the new HEAD and the flag is always 1. Likewise for
git worktree addunless
git clone https://git.example.com/evilrepo.git can run arbitrary code on your computer.
Why does this matter? Downloading code to vet it for security, for example, could pwn your machine. It isn't expected that downloading something will automatically run it, which can blindside some people.
Luckily, disabling Git hooks is pretty easy.
For you *nix users out there, just run
git config --global core.hooksPath /dev/null
For you remaining Windows users, it's similar:
git config --global core.hooksPath c:\nul (I haven't tested this because I do not have access to a Windows machine. Please let me know if it works)
This will disable all hooks on your system and you can enable them on a per-repository basis with a similar command:
git config code.hooksPath .git/hooks (replace
.git/hooks with where the hooks are stored in the repository).
This has been a PSA by me. If something is wrong or you just wanna say hi, feel free to contact me.