A bare repository is a Git repo with no working tree, just the .git internals. Git will recognize one anywhere it finds the right directory structure. An attacker can exploit this by embedding a bare repo inside a normal repository, tucked into a subdirectory or smuggled in via submodules.
When you clone the outer repo and cd into it, Git may auto-discover the embedded bare repo. If that bare repo has hooks configured (say, a post-checkout or pre-commit), they run on your machine. Arbitrary code, no prompt.
The fix landed in Git 2.38 with safe.bareRepository:
git config --global safe.bareRepository explicit
With explicit set, Git refuses to operate in any bare repository unless its path has been added to safe.directory. It won't auto-discover bare repos nested inside cloned projects.
Without this, cloning a repo someone hands you could silently execute whatever they put in a hook. The attack surface is small but the impact is full code execution.
Bare Repository Attacks in Git
A bare repository is a Git repo with no working tree, just the
.gitinternals. Git will recognize one anywhere it finds the right directory structure. An attacker can exploit this by embedding a bare repo inside a normal repository, tucked into a subdirectory or smuggled in via submodules.When you clone the outer repo and
cdinto it, Git may auto-discover the embedded bare repo. If that bare repo has hooks configured (say, apost-checkoutorpre-commit), they run on your machine. Arbitrary code, no prompt.The fix landed in Git 2.38 with
safe.bareRepository:With
explicitset, Git refuses to operate in any bare repository unless its path has been added tosafe.directory. It won't auto-discover bare repos nested inside cloned projects.Without this, cloning a repo someone hands you could silently execute whatever they put in a hook. The attack surface is small but the impact is full code execution.