Web lists-archives.com

Re: Git ransom campaign incident report - May 2019

On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote:

> On Wed, May 15 2019, Martin Langhoff wrote:
> > Spotted this on the internet...
> >
> > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/
> >
> > Haven't hacked on git for a while, and I am not affiliated with any of
> > the stakeholders. However, reading it, I wanted to slam my head on the
> > desk.
> >
> > IIRC, git will sanely store a password elsewhere if it gets to prompt
> > for it. Should we be trying to unpack usernames/passwords from HTTP
> > urls, and DTRT with them?
> >
> > Are there other ways this could be made better?
> I think we should do nothing.

I think so, too.

But just brainstorming, one thing we _could_ do is issue a warning when
we see a password in a URL and say "hey, what you're doing isn't
fantastic; considering using a credential helper".

Of course I suspect there are many cases where people _do_ need to store
the password in plaintext, because an automated system needs to fetch
with it. They can use the plaintext git-credential-store, but it's
slightly more hassle. And it doesn't really _solve_ the problem (though
perhaps it would be harder to accidentally expose it with your web

> Or, for GitLab/GitHub etc. to discourage use of https API tokens in
> favor of SSH deploy keys. OpenSSH goes out of its way to not allow you
> to provide paswords in URLs, on the command-line etc. in anticipation of
> exactly this sort of scenario. Even then I've seen users write say
> docker images where they manage to hardcode an SSH private key in a
> public image out of convenience or lazyness (say needing "git clone"
> something during the image build).

You can have limited-access https tokens, too. But I don't think those
or deploy keys fix the fundamental problem, because that read access is
sufficient. The ransom is not "give us bitcoin or we will delete your
code, lock you out of your account, etc". Those things can easily be
fixed by complaining to the service provider, who has backups. The
ransom is "give me bitcoin or I will share your code with the world".
So whatever token the server has to do a fetch is enough to steal the
code (though I think deploy keys can be repo-specific, and I'm not sure
if http tokens are; that expands the attack to _all_ of the user's
repos, not just the one the server cares about).

I don't know how many people who git by this actually even want to fetch
to the server, though. They might just have blindly rsync'd up their
local checkout, and the deploy server actually never needed to know
about git in the first place.