Bitecode blog

Knowledge for JVM-hungry people

Introduction

when checking git log or GitHub commits history we can see that each commit has a corresponding author. We learned to trust that information.

What if I told you that this information can be easily spoofed?

What is git log

Every time we commit changes to the git repository, git stores information about the author of the commit.

This information is stored per commit object and can be displayed by executing git log command.

Where git log gets the author information from?

When you setup fresh machine you need to provide your name and email address for a git commiter. This information can be stored:

  • per project (.git/config)
  • globally in the git configuration file (~/.gitconfig)

Spoofing the author information

Not surprisingly, this information can be always adjusted later the same way. Just for completeness - here is how you can do it:

git config --global user.email "Your Email"

changing the name alone will not work, as the name is always taken from the email information:

git config --global user.name "Your Name"

After successfully executing first commands, one can switch identity and be visible in git logs or github commits history as someone else.

Security implications

In this short article I’m not going to go describe all possible attack vectors, but here are a few..

Making the commit look like it was done by someone else

Bad actor hide his/her tracks by making the changes looking as if they were implemented by other team member. That seems quite simple to find out in the review process, but remember - those are not perfect. Default strategy for Github review process is that once PR is approved, author can commit some more and finally push any code he/she likes. You see where I’m going? Bad actor could simply push yet another commit to a specific PR and pretend to be a PR’s author. Last commit in the list could obviously be easily found by a PR author, but hey.. bad actor could use git --force push

What about making you think that famous Josh Long commited something into my pet project?

Specifically make the commit look like it was done by a bot

Would you check the content of the commit if you saw that it was done by a dependency bot?

What is not allowed?

Obviously (or not) it’s not possible to commit to a project owned by spoofed user.

Solution

There is a simple remedy to this issue. One can configure signing commits by his/her own GPG or SSH private key. Public key is later used to verify if the signer of the commit is a valid party. Git users can check if the commit author is verified or one can even configure git repo so it will reject not signed commits. The latter is highly suggested.

Outcomes

By default, git environment is not secured against bad actors who can easily forge commits as other team members.
Make sure you give only needed access to the repository - never give write access when it’s not needed. Whenever possible use commit signing.

comments powered by Disqus
avatar

Senior Software Engineer with a passion for JVM technologies.