I was sent a Git repository (the .git folder) from an untrusted source.
I want to take a look at it with GitHub Desktop that I have installed, but I don't know enough about the inner workings of Git to know if this is dangerous. Is it safe like opening a text file with notepad, or potentially more dangerous?
tl;dr: cloning is safer than receiving a .git
directory.
Details:
Do not blindly trust a repo someone gives you by handing you the .git
directory. Presumably if someone gives you a repo, you're going to do something with it.
It won't hurt anything just sitting on your machine, but it's possible it could hurt you if you use the repo. The biggest concern is Git hooks, which are, by default, found in the folder: .git/hooks
. Hooks can run arbitrary scripts when you type regular Git commands like commit
, rebase
, merge
, push
, etc. The location of those hooks can also be changed by using a config setting, which is found in the file .git/config
. Also found in that config may be Git aliases, which you may want to inspect to make sure nothing funky is going on. Note that the config file can also include other configs files as well, so you'd have to see if any others are being included.
If you're worried about it, I believe it would be safe to simply clone that repo to another folder. AFAIK that shouldn't bring in any of the customized configs or hooks. When you clone the repo, you should end up in the state as described in matt's answer.