New issue
Advanced search Search tips
Starred by 5 users
Status: Released
Owner: ----
Closed: Jun 2016

Sign in to add a comment
Submodule subscriptions may allow security breaches.
Project Member Reported by, Apr 16 2015 Back to list
Affected Version:

What steps will reproduce the problem?
1. Eve gains access to an arbitrary repository on a host (such as by asking for a personal playground repo, called playground-eve to learn git pushes, whatever)

2. Eve gains knowledge of a non public repository (let's call it top-secret) name by accident or by guessing.

3. Eve sets up a submodule subscription as documented in
to track the top-secret repository as a submodule.

4) Information about changes made to the top-secret repository will show up as the submodule updates in playground-eve. This includes commit ids and more problematic commit messages, (including change ids).

What is the expected output? What do you see instead?

There is *no* permission/acl checking at all in the submodule subscription
feature. I'd expect the owners of top-secret to configure if that
repo can be subscribed to (who can do it? how does the acl of subscribing repo look like)

This breach means you can gain knowledge of commit messages of any repository on a host provided you have access to at least one repository on that host.
Project Member Comment 1 by, Jun 3 2016
Labels: Restrict-View-SecurityIssue
Project Member Comment 2 by, Jun 14 2016
This was fixed by the addition of submodule ACLs.
Project Member Comment 3 by, Jun 14 2016
Status: Released
Labels: FixedIn-2.13
Status: Submitted
Can we remove the security and nonpublic labels from this?  Otherwise it won't be visible to people who click through from the 2.13 release notes.
Project Member Comment 7 by, Aug 26 2016
I think we can remove the security label here.
Labels: -Security -NonPublic -Restrict-View-SecurityIssue
Project Member Comment 9 by, Sep 22 2016
Status: Released
Sign in to add a comment