stackoom
  简体   繁体   中英

Prevent spoofing on git repositories on Azure DevOps

 原文  2023-01-23 20:23:49       git/ security/ azure-devops/ spoofing/ audit-trail

Question

It seems pretty easy to spoof other users in a Git repository on Azure DevOps, since there is no built in way of preventing this.

I can change the committer using

git config --global user.email "foo@bar.baz"
git config --global user.name "foo"

And I can change the author using

git commit --author="foo <foo@bar.baz>"

Azure DevOps allows me to simply push these changes. Again, there doesn't seem to be a default way to make ensure commits are really from the claimed author.

作者:foo / 提交:bart1 / 推送:bart2

Of course, I am shown as the person who pushed them. However, if my repository is ever moved to another Azure DevOps project, this information will not be transferred to the new location, because there the code is pushed by the user performing the move.

If we need to know for sure who changed what code, for auditing reasons, what would be the best approach? Is this at all possible in Azure DevOps with Git? Or do we need to switch to a different source control system?

2 answers

solution1
 1 ACCPTED  2023-01-23 20:28:18

If we need to know for sure who changed what code, for auditing reasons, what would be the best approach?

You should have your developers cryptographically sign their commits using GPG Keys. See documentation from GitHub , or the Git book , etc.

You should also configure your CI environment to reject commits that do not have a valid signature.

solution2
 0  2023-01-23 21:46:12

It seems pretty easy to spoof other users in an Azure DevOps Git repository.

Note that commit authors are unrelated to Azure DevOps. A better way to state your first sentence would be

It seems pretty easy to spoof other users in a Git repository.

Yes, that's true, because the commit authors can be set to any names the pusher wants them to be, similarly how the authors of printed books can be set to any names the publisher wants them to be. (For example when a book has a famous person's name on the cover but was actually written by a ghost writer. Surely people use famous people as the author in Git as well, and sometimes for nefarious reasons .)

If you want to get (closer) to trusting that the commit authors are who they say they are, then see larsks's answer regarding signing commits.

Now, for the AzDO specific implementation of the push logs on the server side, you can see that is showing correctly. You mentioned:

However, if my repository is ever moved to another Azure DevOps project, this information will be overwritten with the user performing the move.

Note, it would not be "overwritten"- the original push logs from this project would remain, but you would have another push log for the new project. If there was ever a question about something in that newly pushed repo, one might ask that pusher where they got it from.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure DevOps Git - Archive multiple repositories Is there a way to automatically clone the Git repositories from Azure DevOps to local with schedule? Sync GitHub Repositories into Azure DevOps go get private repo fails due to missing .git when importing from Azure DevOps repositories Is it good idea to Manage Azure DEVOPS Git DEV and Release Branches in 2 Different Repositories? How to integrate Azure DevOps Servers repositories with Azure DevOps Services Pipelines Azure devops - git repo synchronization Azure DevOps and private git repository Corporate Proxy Azure Devops with Git Gated Push with Git in Azure DevOps
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM