platform-samples icon indicating copy to clipboard operation
platform-samples copied to clipboard

Published 20 hours ago verified publisher icon github

block_file_extensions.sh can be circumvented with fork + PR

Open bloomonkey opened this issue 7 years ago • 1 comments

The block_file_extensions.sh pre-receive-hook can be circumvented by:

  1. Fork the repository
  2. Add a file with the blocked exension
  3. Submit a pull request
  4. Merge pull request

We've done a little research and suspect that this is due to the:

excludeExisting="--not --all"

I guess we could mitigate, e.g. by adding block_self_merge_prs.sh, but this could still be circumvented if 2 users with write privileges colluded.

Any thoughts?

bloomonkey avatar Jan 22 '18 13:01 bloomonkey