Back to Home

Today I Learned

A collection of short notes from my cross-disciplinary studies, shared as I learn in public.

status: In Progress

Status Indicator

The status indicator reflects the current state of the work: - Abandoned: Work that has been discontinued - Notes: Initial collections of thoughts and references - Draft: Early structured version with a central thesis - In Progress: Well-developed work actively being refined - Finished: Completed work with no planned major changes This helps readers understand the maturity and completeness of the content.

·
certainty: certain

Confidence Rating

The confidence tag expresses how well-supported the content is, or how likely its overall ideas are right. This uses a scale from "impossible" to "certain", based on the Kesselman List of Estimative Words: 1. "certain" 2. "highly likely" 3. "likely" 4. "possible" 5. "unlikely" 6. "highly unlikely" 7. "remote" 8. "impossible" Even ideas that seem unlikely may be worth exploring if their potential impact is significant enough.

·
importance: 7/10

Importance Rating

The importance rating distinguishes between trivial topics and those which might change your life. Using a scale from 0-10, content is ranked based on its potential impact on: - the reader - the intended audience - the world at large For example, topics about fundamental research or transformative technologies would rank 9-10, while personal reflections or minor experiments might rank 0-1.

Topics
Showing single entry
April 2026
posted on 04.12.2026

Bare Repository Attacks in Git

A bare repository is a Git repo with no working tree, just the .git internals. Git will recognize one anywhere it finds the right directory structure. An attacker can exploit this by embedding a bare repo inside a normal repository, tucked into a subdirectory or smuggled in via submodules.

When you clone the outer repo and cd into it, Git may auto-discover the embedded bare repo. If that bare repo has hooks configured (say, a post-checkout or pre-commit), they run on your machine. Arbitrary code, no prompt.

The fix landed in Git 2.38 with safe.bareRepository:

git config --global safe.bareRepository explicit

With explicit set, Git refuses to operate in any bare repository unless its path has been added to safe.directory. It won't auto-discover bare repos nested inside cloned projects.

Without this, cloning a repo someone hands you could silently execute whatever they put in a hook. The attack surface is small but the impact is full code execution.

No reactions yet
in Naperville, IL
Last visitor from Mitaka, Japan