diff options
| author | Niklas Goerke <github@niklasgoerke.de> | 2020-10-07 11:55:13 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-07 12:55:13 +0300 |
| commit | 8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9 (patch) | |
| tree | f2f1e994d49072ced1891e2ff36e55be95b8b2e9 /docs/content/doc | |
| parent | d49242287db18fe56991aa66afae0a376bfe9874 (diff) | |
| download | gitea-8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9.tar.gz gitea-8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9.zip | |
Mitigate Security vulnerability in the git hook feature (#13058)
* Extend git hook warning in the UI.
Git hooks are a dangerous feature, administrators should be warned before giving
the git hook privilege to users.
* Disable Git hooks by default and add warning.
Git hooks are a dangerous features (see warning text) that should only
be enabled if the administrator was informed about the risk involved.
Co-authored-by: Niklas Goerke <goerke@fzi.de>
Diffstat (limited to 'docs/content/doc')
| -rw-r--r-- | docs/content/doc/advanced/config-cheat-sheet.en-us.md | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index dc3979a64d..c2a12a1d8f 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -388,8 +388,13 @@ relation to port exhaustion. authentication. - `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy authentication provided email. -- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom - git hooks. +- `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with git hook privilege to create custom git hooks. + WARNING: Custom git hooks can be used to perform arbitrary code execution on the host operating system. + This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service. + By modifying the Gitea database, users can gain Gitea administrator privileges. + It also enables them to access other resources available to the user on the operating system that is running the + Gitea instance and perform arbitrary actions in the name of the Gitea OS user. + This maybe harmful to you website or your operating system. - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately. - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary. |