问题
I was playing around with git when I realized that it's possible for me to commit something to a repository as another user (explained a scenario below for better understanding) and it is not considered a security vulnerability, understandably so (see this).
For example, let's assume I have push access to some repository called AAA, and my email address is abc@xyz.com. I can simply edit ~/.gitconfig on my system and set the email address as some other person's email address: def@pqr.com. Then, I make some changes in my local repository and commit them (remember, with the email address def@pqr.com; git tracks commits by email address). Now, if I try to push to the remote repository, it asks for the username and password. I put mine and since I have push access to AAA, it goes through. I've successfully pushed commits on behalf of the owner of def@pqr.com.
So basically, in this way, I can impersonate people and add commits on their behalf. BUT AGAIN, this is not considered a vulnerability (link for reason attached before).
Question
It would be much easier if git didn't allow changing the email address so easily. Why hasn't git implemented OAuth, or something of that sort, for every time that the email address is changed in ~/.gitconfig, yet?
回答1:
As I explained on the list, this is because many projects, such as Linux and Git, work on a patch basis with a maintainer who integrates patches from a variety of people. Therefore, being able to push data for any author is important. If you spoofed someone else's email address on a patch, they would be informed of that by receiving review comments that they had not solicited.
Some projects also do not care very much about who wrote the patch, but instead about whether the patch is of good quality. The author and committer information is for attribution, not identity checking, and so the author is ultimately irrelevant to the project.
If you're concerned about spoofing of identities, it's super easy to require commit signing. GitHub offers this as an option for repositories that you can use. However, it imposes some burden on other people to contribute, since it requires people to get GnuPG set up appropriately.
If you're operating on a platform such as GitHub, you can also just refuse to accept pull requests if the user ID associated with the PR is not the same one as associated with the commits, which is a valid approach; this can even be done via CI if you like.
来源:https://stackoverflow.com/questions/62333381/git-setting-anyones-email-address-in-gitconfig