Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it dangerous to open or clone a Git repository from an untrusted source

I was sent a Git repository (the .git folder) from an untrusted source.

I want to take a look at it with GitHub Desktop that I have installed, but I don't know enough about the inner workings of Git to know if this is dangerous. Is it safe like opening a text file with notepad, or potentially more dangerous?

like image 791
Louie Avatar asked Oct 21 '25 08:10

Louie


2 Answers

tl;dr: cloning is safer than receiving a .git directory.

Details:

Do not blindly trust a repo someone gives you by handing you the .git directory. Presumably if someone gives you a repo, you're going to do something with it.

It won't hurt anything just sitting on your machine, but it's possible it could hurt you if you use the repo. The biggest concern is Git hooks, which are, by default, found in the folder: .git/hooks. Hooks can run arbitrary scripts when you type regular Git commands like commit, rebase, merge, push, etc. The location of those hooks can also be changed by using a config setting, which is found in the file .git/config. Also found in that config may be Git aliases, which you may want to inspect to make sure nothing funky is going on. Note that the config file can also include other configs files as well, so you'd have to see if any others are being included.

If you're worried about it, I believe it would be safe to simply clone that repo to another folder. AFAIK that shouldn't bring in any of the customized configs or hooks. When you clone the repo, you should end up in the state as described in matt's answer.

like image 110
TTT Avatar answered Oct 23 '25 22:10

TTT


A Git repository effectively "contains" some files in a sort of dehydrated form. When you check out the main branch of the repository, they are rehydrated — that is, you now "have" those files. That's all that happens.

The "danger" is therefore just like the danger of having any file that you aren't sure about — no more, and no less. The fact that you received these files wrapped up in a Git repository is irrelevant.

For example, can a virus or similar spread from the mere presence of a certain file on your computer? If so, then there is that same danger in this instance. If the danger comes more from opening a file (e.g., looking at it in Microsoft Word, or running it as an executable), then if one of the files is that kind of file, there would be that same danger if you were to open it. And so on.

like image 34
matt Avatar answered Oct 23 '25 21:10

matt