GIT GITHUB

Git spoofing

Posted by Marcin on Wednesday, October 9, 2024

Introduction

when checking git log or GitHub commits history we can see that each commit has a corresponding author. We learned to trust that information.

What if I told you that this information can be easily spoofed?

What is git log

Every time we commit changes to the git repository, git stores information about the author of the commit.

This information is stored per commit object and can be displayed by executing git log command.

Where git log gets the author information from?

When you setup fresh machine you need to provide your name and email address for a git commiter. This information can be stored:

  • per project (.git/config)
  • globally in the git configuration file (~/.gitconfig)

Spoofing the author information

Not surprisingly, this information can be always adjusted later the same way. Just for completeness - here is how you can do it:

git config --global user.name "Your Name"
git config --global user.email "Your Email"

After successfully executing those commands one can switch identity and be visible in git logs or github commits history as someone else.

Security implications

Spoofing the author information can be used to:

  • make the commit look like it was done by someone else
  • specifically make the commit look like it was done by a bot

Can a bad actor hide his/her tracks by making the changes looking as if they were implemented by other team member? Would you check the content of the commit if you saw that it was done by a dependency bot?

In this short article I’m not going to go describe all possible attack vectors, but pushing malicious code into repository can be surely harmful to product and even other team member security.

Solution

There is a simple remedy to this issue. One can configure signing commits by his/her own GPG or SSH private key. Public key is later used to verify if the signer of the commit is a valid party. Git users can check if the commit author is verified or one can even configure git repo so it will reject not signed commits. The latter is highly suggested.

Outcomes

By default, git environment is not secured against bad actors who can easily forge commits as other team members.
Make sure you give only needed access to the repository - never give write access when it’s not needed. Whenever possible use commit signing.

comments powered by Disqus
CATALOG