Hey You! Yes You! Disable Git Hooks!


Category:  programming

Tags:  git security

Imagine this. Downloading some code on your computer (just downloading it) can run arbitrary code. Now imagine that this is what (can) happen every time you download a Git repository. Feel uncomfortable yet?


If you're reading this, you probably know what Git is. You probably don't know what Git hooks are. They're little bits of code that can be executed when you run Git actions in that directory.

It's a useful feature. You can configure it to run linting before committing, for example. There are many points where hooks can be run, from committing, to pushing, to pulling, to even cloning!

Wait, what?

The repository you clone can run a hook without any other interaction?

Yep

It is also run after git-clone, unless the --no-checkout (-n) option is used. The first parameter given to the hook is the null-ref, the second the ref of the new HEAD and the flag is always 1. Likewise for git worktree add unless --no-checkout is used.

Simply running git clone https://git.example.com/evilrepo.git can run arbitrary code on your computer.

Why does this matter? Downloading code to vet it for security, for example, could pwn your machine. It isn't expected that downloading something will automatically run it, which can blindside some people.

Luckily, disabling Git hooks is pretty easy.

For you *nix users out there, just run git config --global core.hooksPath /dev/null

For you remaining Windows users, it's similar: git config --global core.hooksPath c:\nul (I haven't tested this because I do not have access to a Windows machine. Please let me know if it works)

This will disable all hooks on your system and you can enable them on a per-repository basis with a similar command: git config code.hooksPath .git/hooks (replace .git/hooks with where the hooks are stored in the repository).

This has been a PSA by me. If something is wrong or you just wanna say hi, feel free to contact me.

Previous Post