DevSecOps series No. 1 — Breaking the CI/CD by using evil Git repositories

This is the first post of a serie about DevSecOps. We’ll discuss about (in)security in DevSecOps process.

Today we’ll check security in building process when you need external GIT.

Cloning GIT repositories is an usual task for a CI pipeline when you’re building artefacts. Some programming languages do more use of GIT for the building process. For examples, in GoLang you can set dependencies as Github URL:

package main

import (
"github.com/spf13/cobra"
"github.com/pkg/errors"
)

func main() {
...
}

This is a very common task in a CI process. Nothing strange there.

Software bombs are a very old concept in computer security. As you can imagine, Git bomb idea is also exist.

From 2017 there’s available a PoC for Git Bomb. You can get more info in the author web site: https://kate.io/blog/git-bomb/

Basically, Git Bomb is a special Git repository that was made to break down the Git Cloning process and never ending.

If some of each repository of your building process depends was compromised (or if the author is a “funny guy”) when you try to clone your CI machine will be break down.

In the best case (if your C.I. machine was hardened) the process will end when timeout will be reached.

Here you can see an example when we try to clone a Git Bomb PoC repository:

Process was cancelled after it took 4 minutes.

Also you can check that the CPU consumption was very high (near 100%):

I hope you like this post. Soon I’ll write more posts about DevSecOps security!

More posts about DevSecOps series

Next post: DevSecOps series No 2 — Automatic checking Dockerfiles for security.

--

--

REST API Cybersecurity and Hacking & Python Architect. +100 GitHub projects. Speaker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
cr0hn

REST API Cybersecurity and Hacking & Python Architect. +100 GitHub projects. Speaker