Git community disclosed a high serverity of vulnerabilies (CVE-2018-11235). Since the impact of this vulnerabilities might influence many software application.
The major design weakness of this vulnerability is that when you git clone a repository, there is some important configuration that you don’t get from the server includes .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow. For instance, the post-checkout hook will be run anytime git checks files out into the working directory. As a result hacker can appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. As a result, hacker has way to implant malware to the library.
This vulnerability also jeopardizing hyperledger project. Please refer to above diagram for reference.
For details of vulnerability. Please refer below:
- Examine submodule’s folder names closely.
- No longer contain .. as a path segment, and they cannot be symbolic links.
The programming parameter must be within the .git repository folder.