`git push --force` to send malicious codes to other developer's local env without notice?
Assume a pure Git workflow without any forges such as GitHub. This means there is no protected branch settings for example.
Safe Workflow
When a malicious member executes git push (without --force) to push a malicious code and then another member executes git pull, he can notice he has downloaded (or pulled) something new:
If he is conservative enough, he can check the actual diff by using the command below:
$ git diff 71bbeab..984e12a
After that, if he is suspicious about the diff, he can opt not to blindly type make, which may execute the malicious code.
Unsafe? Workflow
Assume a situation which is the same as the one above except that the malicious member executes git push --force and may additionally execute some hacking tricks which I don't know.
In that case, is it still always possible for other members
to notice the action
and to check the actual diff?
As for the first point, as far as I tested, it seems they can notice the action because git pull shows forced update when pulling a change created via git push --force:
+ 31674dc...71bbeab master -> origin/master (forced update)
As for the second point, again as far as I tested, it seems they can also check the diff because git pull either fails due to merge conflicts or succeeds but shows the diff as shown in the Safe Workflow above, though I don't know there is any attacker-controllable way to make git show a fake diff.
Edit: As discussed in the comments, this question is about security considerations, so "as far as I tested" is not enough; we know that security questions must be answered theoretically and not empirically or experimentally. This is why I also explicitly wrote
and may additionally execute some hacking tricks which I don't know
though I don't know there is any attacker-controllable way to make
gitshow a fake diff
Commits are uniquely identified by a hash which validates their content and their parents. So any push action (so called "malicious" or not) can always be detected: the hash at the tip of the branch you fetch will change. There is no circumventing that.
In the output you pasted in your question: you can see the two sha in 71bbeab..984e12a.
To inspect after the facts (say you closed your first terminal, or ran git pull --quiet) the changes on a remote branch (say: origin/master), you can run: git reflog origin/master to view the various updates you saw -- e.g: the history of how origin/master was updated each time you ran a git fetch or git pull (warning: this is not a long term history, git reflog entries may expire after 90 days by default, see git help reflog).
Once you have these two commit identifiers, you can:
directly compare their content:
git diff <sha1> <sha2>compare their histories:
git log --oneline --graph <sha1> <sha2>orgit log --oneline --graph --boundary <sha1>...<sha2>do all sort of extra things ...
To understand the internals of Git, Chapter 10 of The Git Book is a very nice introduction.
- symlink from public_html_source to public_html
- Git: how to move a branch to another base branch?
- In a `git merge`-style workflow, show only the unique commits someone had in their PR's (Pull Request's) feature branch before merging
- git grep by file extensions
- How to undo git init on a home directory?
- Unable to clone repository from Gitlab: Permission denied, please try again
- Adding git submodule that contains another submodule?
- lint-staged not running on precommit
- Trying to remove git repo on ubuntu guest
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Git Rebase but keeping some changes from feature branch
- How to make git log not prompt to continue?
- 'git push heroku master' is still asking for authentication
- Azure DevOps - compare two commits right in the web UI?
- How do I remove all stale branches from Github?
- How to remove branches already deleted on GitHub that still show up in VS Code?
- Why to not commit changes to version control ... before
- Is there a way to revert to a previous commit in VS code?
- How can I check for whitespace/tab errors in my git commit?
- Create a repo in GitLab using CLI
- How can I check out a GitHub pull request with git?
- git pull error: cannot lock ref 'ref/remotes/origin/xxx' ... exists; cannot create
- How to diagnose and fix git fatal: unable to read tree
- Unable to checkout git submodule path
- How to clone git repository from its zip
- Git Azure DevOps URL Not Supported Error When Running dotnet new -i <Azure DevOps Repo URL> (Even with PAT)
- How to create git hooks in Windows with Node.js?
- sh: husky: command not found
- Git does not use SSH key (Windows)
- Change the location of the ~ directory in a Windows install of Git Bash