Sanitize git folder after each build
What does this MR do?
Cleans up git folder itself to prevent any kind of poisoning that might happen during the build.
Why was this MR needed?
There are some attack vectors through Git that we want to protect against. By sanitizing the Git directory after each build, we minimize the surface area for attacks.
What's the best way to test this MR?
Running runner built off of main, observe arbitrary code execution happens
Run the following job on any branch in a test project. Be sure to use the shell executor so that it's not an ephemeral build environment.
.gitlab-ci.yml
job:
script:
- grep hooksPath .git/config && exit
- echo "[core]" >> .git/config
- echo " hooksPath = $CI_PROJECT_DIR/.git/evil" >> .git/config
- mkdir -p "$CI_PROJECT_DIR/.git/evil/"
- echo "#! /bin/sh" >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
- echo "echo Executed evil code in post-checkout." >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
- chmod +x "$CI_PROJECT_DIR/.git/evil/post-checkout"
tags:
- shellNow run any job on any other branch on the same test project. You will see the code execution:
Now, run runner built off of this branch, observe code execution does not work
(Be sure to clean the build folder from step 1)
Run the same job as step 1
.gitlab-ci.yml
job:
script:
- grep hooksPath .git/config && exit
- echo "[core]" >> .git/config
- echo " hooksPath = $CI_PROJECT_DIR/.git/evil" >> .git/config
- mkdir -p "$CI_PROJECT_DIR/.git/evil/"
- echo "#! /bin/sh" >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
- echo "echo Executed evil code in post-checkout." >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
- chmod +x "$CI_PROJECT_DIR/.git/evil/post-checkout"
tags:
- shellEnsure the job completes. This means the git config was tampered with.
Run another job off of a different branch on the same project. Observe the code execution does not happen.
What are the relevant issue numbers?
closes #27864 (closed)