Menu
For security reasons I would like git hooks to be disabled by default.
More specifically, when I run a git command in any git repository on my (Kubuntu) OS account, no git hooks should be executed, unless somehow specified.
In run all my code in Vagrant or Docker and the attack I want to avoid is the one where malicious code in the VM writes to the git hooks directory and thus gets itself onto the host machine. Disabling git hooks by default is a line of defense against this.
I'm looking for a solution that does not require per repository work and state. In my search I ran into this script which breaks both those requirements.
Ideally there is a simple solution such as putting this in .bash_aliases:
alias git='/usr/bin/git --no-hooks'
348
Use the --no-verify option to skip git commit hooks, e.g. git commit -m "commit message" --no-verify . When the --no-verify option is used, the pre-commit and commit-msg hooks are bypassed.
Quick tip if you want to skip the pre-commit validations and quickly want to get a commit out there. To get your commit through without running that pre-commit hook, use the --no-verify option. Voila, without pre-commit hooks running!
Implementing Git Hooks Upon initializing a new project, Git populates the hooks folder with template files. To enable the hook scripts, simply remove the . sample extension from the file name. Git will automatically execute the scripts based on the naming.
Double-click on Windows Firewall → Protect all network connections → set to Disabled and press Apply.
Setting core.hooksPath in $HOME/.gitconfig seems to work for me
[core]
hooksPath = $SOME_DIR_WITHOUT_HOOKS
To enable hooks for a specific repo, you can probably reset it in $REPO/.git/config
[core]
hooksPath = $GIT_DIR/hooks
The hooks are not the only way an attacker with write access to the .git directory can attack the user of the .git directory, the option diff.external can for example be set to execute anything, and who keeps track of all new Git features?
Even letting the attacker have write access to repository may be bad, if your development environment looks for configuration files within, or if it has some script that is executed locally.
Protecting .git is still a good idea, I propose these solutions:
.git read-only in the virtual machine..git directory outside the working directory shared with the virtual machines. The --git-dir flag or the GIT_DIR environment variable controls where Git looks for the .git directory. Has the drawback that the .git directory is not shared with the virtual machine if it needs it, and that the command line flag or the environment variable will need to be set before working with each different repository.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
