New issue
Advanced search Search tips
Starred by 5 users

Issue metadata

Status: Released
Owner: ----
Closed: Jun 2016

Sign in to add a comment

Submodule subscriptions may allow security breaches.

Project Member Reported by, Apr 16 2015

Issue description

Affected Version:

What steps will reproduce the problem?
1. Eve gains access to an arbitrary repository on a host (such as by asking for a personal playground repo, called playground-eve to learn git pushes, whatever)

2. Eve gains knowledge of a non public repository (let's call it top-secret) name by accident or by guessing.

3. Eve sets up a submodule subscription as documented in
to track the top-secret repository as a submodule.

4) Information about changes made to the top-secret repository will show up as the submodule updates in playground-eve. This includes commit ids and more problematic commit messages, (including change ids).

What is the expected output? What do you see instead?

There is *no* permission/acl checking at all in the submodule subscription
feature. I'd expect the owners of top-secret to configure if that
repo can be subscribed to (who can do it? how does the acl of subscribing repo look like)

This breach means you can gain knowledge of commit messages of any repository on a host provided you have access to at least one repository on that host.
Project Member

Comment 1 by, Jun 3 2016

Labels: Restrict-View-SecurityIssue
Project Member

Comment 2 by, Jun 14 2016

This was fixed by the addition of submodule ACLs.
Project Member

Comment 3 by, Jun 14 2016

Status: Released (was: New)
Labels: FixedIn-2.13
Status: Submitted (was: Released)
Can we remove the security and nonpublic labels from this?  Otherwise it won't be visible to people who click through from the 2.13 release notes.
Project Member

Comment 7 by, Aug 26 2016

I think we can remove the security label here.
Labels: -Security -NonPublic -Restrict-View-SecurityIssue
Project Member

Comment 9 by, Sep 22 2016

Status: Released (was: Submitted)

Sign in to add a comment