防手抖開源之 Git 鉤子
- 2020 年 2 月 10 日
- 筆記
最近「從開源到跑路」的事件逐漸增多,給涉事企業造成了不小的損失。因而相關的防範工作顯得愈發重要。
客觀而言,人為手動的防範顯得原始和笨拙,好在git提供了相關的鉤子方法,為我們這裡的防範提供了可行性。
這裡我們以git push 命令對應的pre-push鉤子為例,因為想要開源出去,這個命令通常是必須執行的。
編寫git pre-hook
#!/bin/sh # An example hook script to verify what is about to be pushed. Called by "git # push" after it has checked the remote status, but before anything has been # pushed. If this script exits with a non-zero status nothing will be pushed. # # This hook is called with the following parameters: # # $1 -- Name of the remote to which the push is being done # $2 -- URL to which the push is being done # # If pushing without using a named remote those arguments will be equal. # # Information about the commits which are being pushed is supplied as lines to # the standard input in the form: # # <local ref> <local sha1> <remote ref> <remote sha1> # # This sample shows how to prevent push of commits where the log message starts # with "WIP" (work in progress). remote="$1" url="$2" echo $url if [[ $url == *"[email protected]"* ]]; then echo "github repo refused to push" exit 1 fi if [[ $url == *"https://github.com"* ]]; then echo "github repo refused to push" exit 1 fi z40=0000000000000000000000000000000000000000 while read local_ref local_sha remote_ref remote_sha do if [ "$local_sha" = $z40 ] then # Handle delete : else if [ "$remote_sha" = $z40 ] then # New branch, examine all commits range="$local_sha" else # Update to existing branch, examine new commits range="$remote_sha..$local_sha" fi # Check for WIP commit commit=`git rev-list -n 1 --grep '^WIP' "$range"` if [ -n "$commit" ] then echo >&2 "Found WIP commit in $local_ref, not pushing" exit 1 fi fi done exit 0
攔截程式碼解釋
remote="$1" url="$2" echo $url if [[ $url == *"[email protected]"* ]]; then echo "github repo refused to push" exit 1 fi if [[ $url == *"https://github.com"* ]]; then echo "github repo refused to push" exit 1 fi
上述的程式碼
- 攔截git協議的到github遠程倉庫的push請求
- 攔截https協議的到github遠程倉庫的push請求
除此之外,我們還可以做什麼
- 可以根據自身需要增加
[email protected]等屏蔽 - 根據需要,可以判定倉庫名稱來屏蔽。
- 編寫shell語句,實現更加複雜的攔截處理
完整文件地址: https://asset.droidyue.com/content/pre-push
針對單個Repo生效
將上述pre-push 放入項目的.git/hooks/下面即可
針對全局生效
git 2.9 開始支援 設置全局git hook路徑
git config --global core.hooksPath /Users/yourUserName/.git/hooks
將上述pre-push 放入/Users/yourUserName/.git/hooks
支援文件可執行許可權
chmod a+x your_pre_push_hook_path
效果演示
[email protected]:/tmp/vim_katana(master|) % git push origin master [email protected]:androidyue/vim_katana.git github repo refused to push error: failed to push some refs to '[email protected]:androidyue/vim_katana.git'
效果有多少
防止惡意開源,並不能。只是理論上稍微提高了一點門檻。
這是因為
- 惡意開源者可能刪除這些git鉤子
- 惡意開源者可以使用別的形式公開程式碼
它能做什麼
- 如題所屬,它是自身無意原因或者某些惡意中間環節導致開源的最後一道防線。
源碼安全無小事,事事需謹慎。
