Adds hit, the git interceptor

diff --git a/commit b/commit
index e7026b6db7c6359c75d4d223b9cceb86c33fce35..0b998b024f07e54f506ca6bd7abc9be4bd9c4b99 100755 (executable)
--- a/commit
+++ b/commit
@@ -6,6 +6,9 @@
 # Parameters
 ARGS="$*"
 
+# Git application we use
+GIT="hit"
+
 # Check if a file is inside a git repository
 # Usage: git_folder <file>
 function git_folder {
@@ -51,7 +54,7 @@ function is_git {
   elif [ -d "$1/.git" ]; then
     return
   else
-    ( cd "$1" && git status &> /dev/null )
+    ( cd "$1" && $GIT status &> /dev/null )
     
     if [ "$?" != "128" ]; then
       return
@@ -77,12 +80,12 @@ function is_svn {
 function git_push {
   if [ "`git remote | wc -l`" == "0" ]; then
     return
-  elif git remote | grep -q 'all'; then
-    git push all --all
+  elif $GIT remote | grep -q 'all'; then
+    $GIT push all --all
   #elif git remote | grep -q 'origin'; then
   #  echo "Please configure the 'all' remote first."
   #  exit 1
-  #  #git push --all
+  #  #$GIT push --all
   fi
 }
 
@@ -130,13 +133,13 @@ function git_commit {
 
   # If there are no staged files, commit everything.
   # Otherwise commit just what was staged
-  if git status --short | grep -q "^[AM]"; then
+  if $GIT status --short | grep -q "^[AM]"; then
     flag=""
   else
     flag="-a"
   fi
 
-  git commit $flag -m "$params"
+  $GIT commit $flag -m "$params"
 }
 
 # Main
@@ -150,6 +153,6 @@ if [ ! -z "$1" ]; then
     git_user
     git_commit $*
     git_push
-    git fetch --all
+    $GIT fetch --all
   fi
 fi

diff --git a/commit-updates b/commit-updates
index 93faf12421be389087d08b2d670da3258ae2e094..2a71c1d83931e8d6914cd6d79ce8b55e5bc6a206 100755 (executable)
--- a/commit-updates
+++ b/commit-updates
@@ -6,6 +6,9 @@
 # Parameters
 PROJECT="$1"
 
+# Git application we use
+GIT="hit"
+
 # Check if param is a project
 if [ ! -z "$PROJECT" ] && [ -z "$2" ] && ( cd $PROJECT &> /dev/null ); then
   if ! git status &> /dev/null; then
@@ -21,7 +24,7 @@ fi
 ARGS="$*"
 
 # Simply update commit
-if git status &> /dev/null; then
+if $GIT status &> /dev/null; then
   if [ ! -z "$ARGS" ]; then
     commit "Updates $ARGS"
   else

diff --git a/git b/git
new file mode 120000 (symlink)
index 0000000..7d20918
--- /dev/null
+++ b/git
@@ -0,0 +1 @@
+hit
\ No newline at end of file

diff --git a/hit b/hit
new file mode 100755 (executable)
index 0000000..7f24226
--- /dev/null
+++ b/hit
@@ -0,0 +1,56 @@
+#!/bin/bash
+#
+# hit: the git interceptor
+#
+# Main features:
+#
+# * Disables/mitigates hooks by changing permission and ownership on `~/.git/hooks`.
+#
+# Other features to consider:
+#
+# * Checks proper user/email config.
+# * Automatically sets git-flow when initializing a repository.
+# * Automatically sets git-hooks integration.
+# * Implements global hooks.
+# * Checks remote configuration.
+# * Checks hook tampering before doing anything in the repository, like removing hook permissions
+
+# Parameters
+BASENAME="`basename $0`"
+
+# Ensure we run a system-wide git installation and not any other script or alias
+GIT="/usr/bin/git"
+
+# Check for firejail
+if which firejail &> /dev/null; then
+  GIT="firejail $GIT"
+fi
+
+#
+# Disable git hooks
+#
+# A malicious software that is being tested might put arbitrary scripts as git hooks.
+# This can be an attack vector if you're testing the software inside a virtual machine but is
+# handling git commands from the host machine (like when running vagrant).
+#
+# By disabling any hooks from being execute we mitigate a possible attack vector.
+#
+# References:
+#
+# https://stackoverflow.com/questions/35997624/how-to-disable-git-hooks-for-security-reason
+# https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
+if [ -d ".git/hooks" ]; then
+  # Remove all exec permissions
+  chmod -x .git/hooks/*
+
+  # Rename all non-default hook files
+  for file in `ls -1 .git/hooks/ | grep -v '.sample$'`; do
+    echo "hit: renaming .git/hook/$file to .git/hook/$file.sample"
+    mv .git/hooks/$file .git/hooks/$file.sample
+  done
+fi
+
+#
+# Call git
+#
+$GIT $*