Sneaky Git Commits
13 days ago
- #security
- #git
- #version-control
- Git merge commits can include arbitrary changes that don't show up in `git log -u`, making them 'sneaky'.
- Sneaky merge commits can be created using `git merge --no-commit` or `git commit --amend`.
- The Git documentation warns against abusing merge commits for substantial changes, though small fixes are acceptable.
- A contrived supply chain attack scenario is described where a backdoor could be hidden in a merge commit, bypassing review.
- It's possible to check a Git repository's history for sneaky merges by redoing every merge and comparing the resulting trees.
- Semantic conflicts (e.g., function call additions vs. renames) can cause false positives when detecting sneaky merges.
- An analysis of the Linux kernel (v6.14 to v6.15) found no sneaky merges, only semantic conflicts.