- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
By ‘Git instances’ they mean Gogs instances that allow open registration. I know most of the community moved from Gogs to Gitea, and then to Forgejo, but thought this was still worth noting.
You must log in or register to comment.
Here are the steps:
- The attacker creates a standard Git repository.
- They commit a single symbolic link pointing to a sensitive target.
- Using the PutContents API, they write data to the symlink. The system follows the link and overwrites the target file outside the repository.
- By overwriting .git/config (specifically the sshCommand), the attacker can force the system to execute arbitrary commands–
amazing.
Especially since any version of Git from the last view years has a passionate hatred of symlinks for this reason, which is a bit annoying if you’ve a legit usecase. They’re either very out-of-date, or have done some very foolish customisation…
I think the ZIP standard has something similar and it causes similar problems.
If i remember correctly on my gitea (now forgejo) the default is open registration which really shouldn’t be the case for projects that are targeted towards self hosters.
My inital install was a long time ago so I don’t remember for sure
Yeah in my project open registration is behind an option called
yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuselolHonestly, this is always more effective than a comment in the config because it can get removed. All it would take is a popular guide having the config with that option on and the comment gone.
Reading between the lines I feel like when you say “Targeted towards self hosters” what you mean is “John Q Hobbyist who doesn’t know any better”
And in response to that I would contend that Gitea is not actually targeted at those folks, though they obviously use it. Gitea is FOSS but it’s still “targeted” at professionals.
This absolutely. Anyone who actually wants open registration will be configuring their own SSO or whatever backend. The default should be safe for testing and/or hobbyists.
this is what I’m talking about when it comes to the selfhosted communities.
if you don’t know how to properly segment and vlan your network, you have no business exposing your shit to the internet.
While good, network security isnt the issue. Its running a web service with open registration allowing randos to upload content that gets processed by the server.
Throw this up on a dedicated $5 VPS and you still have a problem. The default should be manual registration by admins.
deleted by creator
