►
From YouTube: Security issues in Git - Git Merge 2018
Description
Presented by Edward Thomson, Program Manager, Microsoft
About GitMerge
Git Merge is the pre-eminent Git-focused conference: a full-day offering technical content and user case studies, plus a day of workshops for Git users of all levels. Git Merge is dedicated to amplifying new voices in the Git community and to showcasing the most thought-provoking projects from contributors, maintainers and community managers around the world. Find out more at git-merge.com
A
Yeah,
so
thanks
so
much
again,
my
name
is
Edward.
Thompson
I
am
a
program
manager
at
Microsoft,
where
I
work
on
the
get
community
for
Visual,
Studio
and
visual
studio
team
services
and
yeah
I
actually
used
to
be
a
dev
I'm.
A
program
manager
now,
which
means
I,
don't
actually
write
code
anymore,
I
used
to
actually
write
version
control
code
now
I,
the
closest
thing
I
have
to
an
IDE
is
either
outlook
or
maybe
PowerPoint.
A
One
of
my
co-workers
tried
to
console
me
by
pointing
me
to
some
YouTube
video
that
shows
that
PowerPoint
is
actually
touring
complete.
This
didn't
actually
make
me
feel
better.
It
really
just
terrified
me
if
you
want
to
be
similarly
terrified
I
would
encourage
you
to
check
it
out,
but
I
am
still
a
developer
at
heart.
A
So
when
I
leave
work
and
put
outlook
and
PowerPoint
behind
me,
I'm
one
of
the
maintainer
zuv
the
lib
get
to
project
if
you're
not
familiar
with
lib,
get
to
it's
a
linkable
library
that
you
can
use
in
your
application
to
do
management
of
your
git
repository.
So
if
you're
building
a
get
GUI
or
an
IDE-
and
you
want
get
integration,
it
makes
a
ton
of
sense,
but
even
if
you're
writing
a
simple
app
that
does
some
work
in
a
git
repository.
Maybe
it
looks
at
what's
going
on
and
tries
to
validate
things.
A
A
Libya
2
was
developed
in
at
its
very
beginning
from
get
itself,
so
the
get
program
is
a
mix
of
C
and
Perl
and
Python
and
all
sorts
of
things,
and
we
took
in
Lib
get
to
a
lot
of
the
C
code
out
of
yet
to
bring
into
Libya.
We
want
it
to
be.
You
know
perfectly
identical.
Pata
below
with
the
git
project,
so
Libya
is
written
and
see.
Much
of
get
is
written
in
see.
I,
love
writing
see,
see,
is
a
great
tool
to
use
to
build
an
application.
A
It's
really
powerful
right
if
you
want
to
write
a
device
driver.
If
you
want
to
talk
to
the
colonel
you're,
probably
going
to
do
it
in
the
C
language
and
if
you
want
to
say
make
some
sis
calls
in
another
language
like
Ruby
or
or
Perl
or
Python,
whatever
you're
probably
going
to
make
use
of
the
the
foreign
function,
interface
or
the
native
code.
You
know
in
c-sharp
it's
P
invoke
in
Java,
it's
j'ni
to
talk
to
C,
because
it's
not
powerful.
It's
also
really
fast.
A
The
reason
it's
fast
is
because
it
doesn't
do
things
like
error
checking
on
inputs.
So
if
you
have
you
know
a
five
mega,
byte
buffer
and
a
10
megabyte
file,
C
isn't
gonna
complain
it
might
crash
it.
Might
not
it's
actually
undefined
what
happens?
It
might
just
be
a
giant
security
hole
which
brings
me
to
number
three.
A
It's
secure,
oh
no,
oh,
oh,
no,
C
isn't
actually
all
that
secure,
which
is
a
little
bit
terrifying
at
times
when
you're
building
a
version
control
system
on
top
of
it
and
in
fact
a
really
popular
version
control
system.
Now
there
are
lies,
there
are
damned
lies
and
there
are
statistics.
These
particular
statistics
come
from
Stack
Overflow.
Their
most
recent
annual
developer
survey
shows
that
something
like
70
80
percent
of
developers
are
using
git,
maybe
not
exclusively
get
maybe
they're
using
another
version
control
system
as
well,
but
almost
everybody
is
using
git.
A
You
know
the
next
runners
up
are
subversion
and
team
foundation
version
control
and
they
barely
clock.
Ten
percent-
that's
incredible!
Everybody
is
using
get
these
days.
It
runs.
It
runs
the
American
in
stock
market
Nasdaq
uses
it.
It
runs
the
operating
systems
that
we
put
in
our
pockets,
Android
and
and
Apple
are
both
using
it.
A
I
now
realize
that
NASA's
actually
up
here
twice,
but
you
know
what,
if
you
put
rockets
in
space,
I
think
you
get
double
billing,
but
they're
using
yet
and
I
want
the
Rockets
to
go
up
and
not
you
know,
come
back
down.
So
it's
very
important
that
we
take
security
seriously
in
the
get
projects
sort
of
the
nightmare
scenario,
for
me
at
least,
is
that
we
might
have
some
security
hole
in
get
that
allows
remote
code
execution
on
a
developer's
machine
or
let's
somebody
get
put
files
into
a
repository
without
anybody
having
to
know
it.
A
That
actually
kind
of
keeps
me
up
at
night,
and
it's
especially
important
for
the
Libya
to
project
I
mean,
of
course
it's
important
forget,
but
it's
also
important
for
Libya
to
because
you
may
not
have
heard
of
Lib
get
to,
but
we've
we've
actually
heard
of
you
turns
out.
We
have
some
pretty
high-profile
users,
probably
where
you
host
your
code,
github
uses
it
Visual,
Studio,
Team,
Services
uses
it
get
lab
uses
it
to
merge.
You
are
pull
requests,
so
Libya
too,
is
actually
responsible
for
putting
code
into
your
repository.
A
So
yeah
and
I
wrote
that
code,
so
really
I
do
actually
take
this
very
seriously.
I
think
about
this.
Quite
a
lot.
Bitbucket
doesn't
actually
use
us
to
complete
pull
requests.
I'm
gonna
have
a
conversation.
I
want
to
I
want
to
fix
that,
hopefully
this
week,
but
because
everybody
who
uses
everybody
who
hosts
git
repositories,
at
least
at
scale,
uses
Libya
to
it's
very
important
for
us
to
take
security
seriously
right.
A
The
interesting
thing,
though,
is
that
I
mentioned
see
what
we
don't
like
super
see
a
lot
of
and
get
and
live,
get
to
are
the
sort
of
things
that
you
might
traditionally
think
of
as
problems
in
see
like
buffer
overflows
or
integer
overflows.
We
they
of
course
exist,
but
we
do
a
really
good
job
of
of
code
reviews
on
the
code
coming
into
the
git
project
and
it
Olivia
to
project,
and
we
look
for
these
sorts
of
things
and,
of
course,
we
find
them
and
we
reject
code
reviews.
A
Isn't
enough
because
the
best
computer
scientists,
the
best
software
engineers,
are
still
computer
scientists
and
software
engineers
and
we're
still
human
and
we
make
mistakes.
So,
of
course,
we
use
a
number
of
static
code,
analysis
and
security
checking
tools
to
help
us
with
that,
and
these
find
problems
too
in
Lib
get
to
we've
started
looking
at
using
fuzzing
to
to
help
us
even
further,
but
really
like
I,
said
the
biggest
problems.
A
Aren't
these
the
biggest
problems
are
assumptions
that
we
make
can
I
see
a
show
of
hands
real,
quick
who's
using
git
I
expect
everybody
now
keep
your
hand
up
if
you're,
using
it
on
Mac
or
on
Windows,
put
your
hand
down.
If
you
only
ever
touch
a
Linux
machine
or
an
s3
night,
now
look
around
and
see
who's
got
their
hands
up
right.
Okay,
thank
you!
You
can,
you
can
put
them
down
so
the
this
actually
matches
up
with
yet
another
survey.
Sorry
to
keep
throwing
numbers
at
you.
A
This
is
why
I'm
a
program
manager
now
Windows.
This
is
desktop
usage
for
developers,
and
we
see
that
Windows
is
the
predominant
platform
for
developers.
Mac
is
number
two
and
Linux
actually
shows
up.
That's
why
you
know
this
is
a
survey
of
developers
so,
but
Windows
and
Mac
are
still
the
predominant
systems
right
and
that
actually
is
a
little
bit
at
odds
with
the
develop
the
community
building
get
itself.
If
you
know
the
history
of
yet
you'll
know
that
linus
torvalds
invented
get
to
help
him
build
the
Linux
kernel.
A
So
it's
no
surprise
that
a
lot
of
the
get
developers
themselves
use
Linux
and
that
can
lead
to
some
interesting
problems
where,
when
you're
not
actually
part
of
your
core
audience,
and
so
I
want
to
talk
a
little
bit
about
a
security
vulnerability
that
was
perhaps
introduced,
maybe
because
of
some
expectations
that
were
violated.
Because
of
that
this,
as
you
can
tell
by
the
the
name,
is
not
a
sexy
security
vulnerability,
it
doesn't
have
a
name
like
shell
shock
or
mem
crashed
it's.
A
A
A
So
what's
actually
in
a
git
repository,
you
know,
I've
just
got
this
one
file
up
here
called
hello
text
and
I've
got
this
folder
called
dot
yet,
and
you
may
have
never
looked
in
this
folder
called
dot.
Yet
if
you're
on
Windows,
it's
actually
hidden,
so
you
may
have
never
even
noticed
that
this
exists,
but
this
is
the
dot
git
folder.
This
is
your
git
repository.
We
talked
a
lot
about
how
good
is
a
distributed
version
control
system
and
how
everybody's
got
a
copy
of
the
repository.
Well,
that's
where
it
is
in
dot.
A
Yet
now
what's
actually
in
here.
Well,
we've
got
a
couple
of
things.
First
of
all,
we've
got
our
branches
are
stored
in
the
dot
git
folder.
This
is
information
about
the
branches
that
we
have.
I
only
have
one
right
now
on
my
local
repository
and
that's
called
master,
but
more
interestingly
I've
also
got
this.
Folder
called
git
object
and
you
see
some
hex
numbers,
some
two-character
hex
numbers,
so
these
are
folders
and
if
I
look
inside
one
of
them,
I
see
some
files,
and
so
what's
actually
going
on.
This
is
an
actual
get
object.
A
You
you're
probably
used
to
seeing
40
characters
of
hex
as
a
get
object,
whether
that's
a
commit
or
a
get
tree
or
get
also
stores
files
in
here
as
objects,
they're
called
blobs
and
they're
stored
with
the
40
character,
hex
ID
also
so,
if
you've
never
gone
looking
around
in
your
dot,
git
folder,
this
stuff
is
is
kind
of
interesting
and
it's
kind
of
important.
That's
why
I
get
hides
it
from
you
by
default?
A
A
A
If
you
run
get
status
in
your
repository,
you
don't
see
these
the
the
stuff
in
dot
git,
it's
all
hidden
from
you
get
knows
to
not
worry
about
that.
Get
actually
doesn't
let
you
touch
it.
You
can't
get
add
files
in
there.
You
can't
get
RM
files
from
there
yet
protects
that
from
you,
because
it's
it's
space,
that's
your
repository
and
only
it
can
touch
it
well
or
so.
We
thought
we've
actually
got
a
file
in
here.
Let's
take
a
look
at
it.
Let's
make
sure
it's
not
actually
something
that
get
managed.
No,
oh!
No!
A
A
Well,
let's,
let's
inspect!
What's
what's
in
that
folder
there
and
oh
yeah,
it's
our
file,
hello,
repo
dot
txt!
So
what's
actually
happened
is
we've
added
a
a
file
to
get
called
dot.
Gi
T,
all
uppercase,
hello,
repo
txt,
and
so
what
git
has
done
is
it's
tried
to
open
that
file,
dot,
capital,
GI,
T,
hello,
repo
dot,
txt,
and
it's
happily
written
that
into
our
dot
git
folder.
That's
why
I
asked
who's
running
on
Windows
who's
running
on
a
Mac.
A
The
thing
that
those
two
systems
have
in
common
is
that
they
both
use
case-insensitive
file
systems
by
default.
So
when
I
open
dot
capital,
GI
T,
it
gives
me
the
get
directory
dot,
lowercase,
GI
t
and
get
is
smart
enough.
At
least
this
version
of
get
to
know
not
to
allow
any
users
to
add
files
in
dot
lower
case
GI
t.
But
it's
not
smart
enough
for
dot
uppercase
GI
T.
So
that's
interesting.
A
So
we've
got
a
file
in
our
dot
git
repository
that
we
didn't
expect
to
have,
but
can
we
actually
do
something
with
that
as
an
attacker?
Well,
let's
take
a
look
at
one
of
our
other
branches.
Ok,
so
right
so
I'm
going
to
go
back
to
my
master
branch
and
then
from
there.
Let's
take
a
look
at
this
hello,
dot.
Txt,
ok,
hello,
world!
No
big
deal
now,
let's
check
out
a
slightly
more
evil
branch
called
replacement
objects.
Oh
well!
A
A
You
might
think
that
your
filenames
are
really
important
and
leaking
that
information
on
Stack
Overflow
would
be
bad,
so
you
change
it
so
now
on
Stack
Overflow,
you've
asked
a
question
like
well.
The
following
untracked
working
tree
files
would
be
overwritten
by
check
out
file,
name,
dot,
txt
right,
that's
a
totally
reasonable
thing
for
somebody
to
do
and
I
understand
why
they
would
do
it,
and
if
they
were
asking
that
question
they
might
get
advice
like
well.
Here's
how
to
get
around
that
you
can.
Why?
A
Don't
we
switch
to
the
replacement
object
branch,
we'll
create
a
new
branch
locally
and
then
we'll
get
reset
to
the
origin?
There
we
go
well
now.
We've
checked
out
that
branch
that
we
really
wanted
to
check
out,
and
maybe
we
wanted
a
code
review
it
who
knows
and
what
has
happened
well,
I've
deleted
my
hello
text,
locally,
okay,
but
let's
actually
take
a
look
at
what
came
in
and
head.
Oh,
it's
another
dot,
git
directory
in
all
caps,
okay,
and
what's
in
that
dot
get
directory.
Well,
a
directory
called
objects
and
inside
objects
is
a.
A
F2
hex
characters
and
inside
the
AF
directory
is
oh
well,
that's
a
good
object,
so
we've
actually
checked
out
a
branch
that
has
now
written
a
get
object
into
our
git
directory
and
I
didn't
show
you
earlier,
but
that
that
object
ID
happens
to
be
hello,
dot
text
in
our
master
branch.
So
now
what
we
might
do
is
do
something
clever
like
well
I
want
that
hello
text
back
so
I'll
get
merge
master
right.
That's
the
logical
thing
to
do!
Oh
there!
It
is
what's
actually
in
that
file.
Now,
oh.
A
Ouch
we've
actually
taken
advantage
of
another
wrinkle
and
get,
which
is
that
it
doesn't
actually
validate
the
the
hashes
on
every
operation,
because
that
would
be
just
punishingly
expensive
when
Linus
started
looking
at
version
control
systems,
he
looked
at
a
tool
called
monotone.
Monotone
was
in
many
ways
the
the
ideas
behind.
Yet
it
used
a
merkel,
dag
for
storage,
it
used
sha-1
and
it
validated
the
sha-1
checksum.
It
did
a
hash
on
every
operation,
so
it
was
insanely
slow,
especially
at
the
Linux
kernel
scale,
and
so
by
default.
A
It
doesn't
do
that,
and
so,
if
we
can
somehow
convince
get
to
write
a
new
object
into
the
not
get
directory
well,
we
can
take
advantage
of
that
now.
This
is
a
pretty
questionable
attack
right,
but
when
we
switch
back
to
master
and
look
at
the
file,
it's
still
there
so
we've
totally
poison
to
the
git
directory,
but
yeah
not
super
obvious.
A
First
of
all,
you've
got
to
convince
somebody
to
check
out
this
branch
that
you've
given
them
and
then
you've
got
to
convince
them
to
ignore
the
error
message
and
somehow
run
a
series
of
commands
that
they
probably
don't
understand.
So
it's
not
a
great
attack
right.
It's
a
social
engineering
attack
at
best
and
frankly,
there
are
probably
easier
social
engineering
attacks
that
don't
require
people
to
use
Stack
Overflow
to
get
there
okay.
A
A
A
A
So
when
you
run
git
commit,
it
will
look
for
a
dot
git,
slash
hook,
slash
pre-commit
file
and
if
it's
there
it'll
execute
it,
and
so
if
an
attacker
has
figured
out
a
way
to
put
one
there,
it
will
execute
it
and
in
this
case
it's
this
is
very
innocuous.
It's
just
running
some
apple
scripts
to
pop
up
on
okay
dialog,
but
it
could
be
a
Bitcoin
miner.
It
could
be
RM
dash
RF.
It
could
be
send
your
email,
a
boss,
telling
him
that
you
quit.
It
could
be
any
number
of
things.
A
A
If
you
sent
a
pull
request
with
a
random
pre-commit
hook
that
all
of
a
sudden
started
executing
random
things
would
probably
not
get
accepted
and
merged,
but
you
could
in
fact
convince
somebody:
hey
I've
got
this
really
cool
repository.
Why
don't
you
clone
it
from
github
and
maybe
get
access
to
their
machine
again?
Social
engineering
attack
there's
still
probably
better
social
engineering
attacks,
but
this
was
really
incredibly
serious
when
we,
when
we
discovered
this
and
of
course
I
I,
didn't
discover
it.
I
say
we
I
mean
the
greater
community.
A
In
fact,
it
wasn't
the
git
community
to
all
that
found
this.
This
was
originally
found
by
or
reported
to,
mercurial
mercurial
actually
has
the
same
or
a
similar
problem.
They
don't
have
a
dot
git
directory,
they
have
a
dot
gee
directory
and
they
made
the
same
assumption
about
case
sensitivity.
You
can't
write
into
HG
with
mercurial,
but
you
could,
with
all
caps
and
the
mercurial
team
was
kind
enough
to
disclose
it
to
the
git
team.
A
The
get
team
was
kind
enough
to
disclose
it
to
the
Lib
get
to
team
and
we're
really
glad
that
they
did
because
when
we
heard
about
this
we
were
like.
Oh,
oh
yeah,
that's
that's
important.
Also,
it's
not
just
case
sensitivity.
There
are
a
bunch
of
ways
that
you
can
abused,
get
to
write
files
on
Windows.
Anybody
remember
this
is
a
young
crowd.
You
guys
all
look
so
fresh-faced.
A
Does
anybody
remember
Doss
and
its
8.3
filenames
and
at
some
point
we
added
the
support
in
Windows
for
longer
paths,
and
there
were
various
translations
that
you
could
do
that
involved
like
tilde
one
until
the
two.
You
can
use
that
that
system
from
the
DOS
to
Windows
era,
to
get
paths
into
the
dot
git
directory
on
and
on
Mac
OS.
There
are
various
Unicode
characters
that
aren't
printable
and
thus
can't
go
into
file
names
and
are
just
kind
of
completely
removed.
A
So
if
you
throw
one
of
those
into
the
middle
of
dot
git,
you
can
attack
it
that
way.
So
this
was
this
was
a
really
big
deal
for
us
at
the
time.
In
fact,
this
was
one
of
the
first.
This
was
perhaps
the
first
major
security
release
that
came
to
get
and
I'm
actually
really
proud
of
the
way
the
community
handled
it.
We
were
able
to
build
joint
releases.
We
were
able
to
work
together
to
fix
this,
both
with
mercurial
and
with
the
the
get
community
overall.
A
So
we
saw
simultaneously
release
simultaneous
releases
of
mercurial
of
git
git
for
Windows
and
Lib
get
to
all
fixing
the
problem
at
the
same
time
as
far
as
get
hosting
providers
went
since
some
of
the
core
team
on
git
work
at
github,
they
were
able
to
patch
their
servers
and
since
some
of
the
Liggett
to
core
team
work
at
Microsoft,
we
were
able
to
patch
ours.
So
the
same
time,
we
announced
that
we
had
fixed
this
security
issue
and
get,
and
you
should
go
download
a
new
get.
A
We
were
also
able
to
announce
that
if
you
tried
to
get
push
an
evil
repository
like
this
on
github
or
on
visual
studio
team
services,
that
we
would
block
you
from
doing
so
so
we
couldn't
be
used
as
an
attack
vector
to
propagate
these
sort
of
security.
Vulnerabilities
github
actually
scanned
every
repository
they
had
looking
for
anybody
who
had
tried
to
do
this
and
did
not
find
any,
which
I
think
is
actually
really
cool
because,
as
Carlos
just
mentioned,
they
got
a
lot
of
repositories.
A
So
we
were
pretty
confident
that
this
security
vulnerability
had
actually
never
been
exploited.
And
finally,
we
did
simultaneously
simultaneous
releases
of
get
clients.
We
updated
github,
desktop
and
visual
studio.
Visual
studios
support
matrix
is
quite
deep,
so
we
actually
had
to
update
many
many
versions
of
Visual
Studio,
so
I'm
really
proud
that
we
were
able
to
come
together
and
make
all
this
happen
at
the
same
time.
A
But
if,
if
you're,
astute
you'll
notice
that
there's
you
know
a
lot
of
logos
on
that
slide,
but
there's
a
lot
of
logos
missing
as
well,
and
that
was
perhaps
the
biggest
takeaway
that
we
had.
Although
we
were
able
to
work
together
and
build
simultaneous
releases
for
a
lot
of
products,
we
really
weren't
helping
the
community
as
much
as
we
could
have.
We
could
do
better
here,
because
where's
Atlassian
on
this
release,
you
know
sourcetree,
should
have
been
notified
and
I
honestly
don't
remember
if
they
were
or
not
and
I
feel
really
bad
about
that.
A
That's
not
the
way
to
to
build
a
community.
You
know,
obviously
we
all
kind
of
compete
with
each
other
on
one
level,
but
using
security
bugs
is
not
a
competitive
advantage
right.
So
the
biggest
thing
I
think
that
fell
out
of
this
security
issue.
Cve
24,
2014
9390,
was
that
we
now
have
a
good
security
group
and
it's
made
up
of
vendors.
It's
made
up
of
get
contributors
and
contributors
to
other
projects
that
aren't
just
yet
like
Liggett
to
like
Jay
get
so
that
we
can
share
knowledge
and
again,
security
issues
aren't
a
competitive
advantage.
A
We
need
to
work
together
and
collaborate
to
fix
these
problems,
so
there
have
been
a
couple
of
other
security
issues
in
get
since
then,
and
we've
used
this
group
to
collaborate
to
to
great
effect,
don't
have
time
to
talk
about
all
of
them
today.
So
I
made
a
little
quick
link.
If
you
want
to
learn
a
little
bit
more
AKMs
slash,
get
security
I
encourage
you
to
check
that
out.
So
that's
all
I've
got
I
just
wanted
to
say
thanks
for
for
listening
and
thanks
for
letting
me
help,
keep
you
or
get
repository,
secure.