On Mon, Nov 07, 2016 at 04:10:10PM -0500, Jeff King wrote: > And I'll admit my main motivation is not that index/filesystem parity, > but rather just that: > > git clone git://host.com/malicious-repo.git > git log > > might create and read symlinks to arbitrary files on the cloner's box. > I'm not sure to what degree to be worried about that. It's not like you > can't make other arbitrary symlinks which are likely to be read if the > user actually starts looking at checked-out files. It's just that we > usually try to make a clone+log of a malicious repository safe.
Another approach is to have a config option to disallow symlinks to destinations outside of the repository tree (I'm not sure if it should be on or off by default, though). Again, I don't know that there is a specific security issue, but it makes things easier for services which might clone untrusted repositories (e.g., things like CI). They'd obviously have to be careful with the contents of the repositories anyway, but it's one less thing to have to worry about. -Peff
