The gift that keeps giving Exploiting Git Integrations in Cl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://nopnop.pro/2026/06/17/exploiting-git-integrations-in-cloud-services
• Blog Title: The gift that keeps giving: Exploiting Git Integrations in Cloud Services
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Git, or a new subsection such as 'Exploiting Git Integrations / Git CLI Abuse in Web Apps'

🎯 Content Summary

The gift that keeps giving: Exploiting Git Integrations in Cloud Services

The post analyzes why cloud products that expose Git operations through a web UI create a large server-side attack surface. Typical cloud Git integrations clone attacker-controlled repositories, expose file browsing/editing, and map UI actions such as commit, diff, branch switching, pull, merge, dependency import, and package installation to real git CLI commands or Git library calls executed on the...

🔧 Technical Details

Git config-to-RCE in CLI-backed integrations: If an application shells out to the native Git CLI and an attacker can write or append to .git/config, the attacker can configure execution directives such as core.fsmonitor, core.sshCommand, core.gitProxy, credential.helper, filter.<name>.clean, filter.<name>.smudge, diff.external, core.pager, or core.editor. Later Git operations trigger those commands. Append-only writes can still work because Git accepts duplicate INI sections and the last value may override earlier values.

Git hook and core.hooksPath hijacking: Git executes hook scripts on operations such as commit, checkout, merge, pull, and push. A file-write primitive into .git/hooks/ can plant a hook directly. A config-write primitive can redirect core.hooksPath to a controlled...

🤖 Agent Actions

Done.

Updated:

• src/network-services-pentesting/pentesting-web/git.md

Added concise new content for:

• Git config-to-RCE primitives in CLI-backed integrations
• core.hooksPath / hook hijacking
• buried bare repo abuse
• Git argument injection via missing --
• shell injection via unescaped working directories
• symlink-based repo escape
• npm local dependency symlink blacklist bypass / JGit core.symlinks abuse
• a practical escalation checklist for Git-backed file primitives

Also updated the file’s ## References with:

• the original blog
• SonarSource argument-injection vectors
• justinsteven’s buried bare repo advisory
• Tenable’s related Looker writeup

Validation:

• Re-read the modified file
• Confirmed ## References appears once and remains at the end
• Confirmed the banner include is still the last line
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://nopnop.pro/2026/06/17/exploiting-git-integrations-in-cloud-services

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Git, or a new subsection such as 'Exploiting Git Integrations / Git CLI Abuse in Web Apps'".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0