You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
Currently, server side hooks, both globally and individually for repos run the shell scripts or executables with the same permissions as soft-server itself.
This means that if a malicious user was able to write a file onto the disk, or if a hook was written improperly the malicious user would be able to take control of the soft-serve instance.
To remedy this it would be better practice to run the hooks in a namespace, similar to how bubblewrap (https://github.com/containers/bubblewrap) works.
Thus you could isolate a git repo and deprivilege the command execution on hook run.
There are numerous options that could then be considered to restricting the namespace privileges, such as disabling networking which would render most remote code execution useless.
The text was updated successfully, but these errors were encountered:
Describe the solution you'd like
Currently, server side hooks, both globally and individually for repos run the shell scripts or executables with the same permissions as soft-server itself.
This means that if a malicious user was able to write a file onto the disk, or if a hook was written improperly the malicious user would be able to take control of the soft-serve instance.
To remedy this it would be better practice to run the hooks in a namespace, similar to how bubblewrap (https://github.com/containers/bubblewrap) works.
Thus you could isolate a git repo and deprivilege the command execution on hook run.
There are numerous options that could then be considered to restricting the namespace privileges, such as disabling networking which would render most remote code execution useless.
The text was updated successfully, but these errors were encountered: