Adversarial Study

Adversarial Benchmark of .git/ Pillagers

Companion to Benchmark. Measures how each pillager holds up when the served.git/ is malicious.

Wang Yihang ·  updated Jul 12, 2026  ·  commit826a0a3

§1.Threat Model

We run each pillager against a series of maliciously-crafted.git/ directories, modeled after published research (justinsteven 2022, Driver Tom 2021) and well-known Git CVEs. A test is a FAIL if the malicious server attains code execution, arbitrary file write, or SSRF against the tool's container during recovery; PASS if the tool refused or contained the payload. Tools with unreported findings are anonymized as Tool A…F; the mapping is maintained internally until coordinated disclosure completes (see §5).

§2.Test Corpus

17 tests, drawn from public advisories and the Git CVE feed. Categories: RCE (remote code execution against the tool host), AFW (arbitrary file write outside the output directory), Info (information disclosure, e.g. SSRF), CVE (regression tests for Git CVEs that fire on git clone / checkout).

Table 4.Adversarial test corpus. CVE column lists upstream identifiers where available.

TestCategorySev.CVEDescription
A1-FSMONITORRCEHcore.fsmonitor in .git/config executes attacker command on any git operation (justinsteven 2022)
A2-PAGERRCEMcore.pager in .git/config executes attacker command on git log / git show / git diff
A3-SMUDGE-FILTERRCEHfilter.<name>.smudge in .git/config + .gitattributes filter=<name> on a tracked file executes attacker command on git checkout
A4-DIFF-EXTERNALRCEMdiff.external in .git/config executes attacker command on git diff
A5-CORE-EDITORRCELcore.editor / sequence.editor in .git/config executes attacker command on git commit / rebase (uncommon for pillagers)
B1-INDEX-TRAVERSALAFWHCrafted .git/index has entries with ../../ paths; git checkout / checkout-index writes blobs outside the repo (Driver Tom 2021)
C1-HTML-TRAVERSALAFWHHTML directory listing with traversal anchor (<a href="../../canary/...">) lets a recursive pillager write outside its output directory (justinsteven 2022 second PoC)
C2-REDIRECT-FILEInfoMServer responds to every request with 302 Location: file:///etc/passwd; a pillager that follows non-HTTP(S) redirects ends up reading local files
C3-REDIRECT-SSRFInfoLServer redirects every request to http://127.0.0.1:12345/, an internal SSRF target; a sidecar listener on that port writes the canary if hit
C4-ABSOLUTE-PATH-WRITEAFWHHTML directory listing whose <a href> targets are server-controlled ABSOLUTE paths (leading `/`, `//`, encoded `%2f`, backslash roots) instead of relative `../` climbs: a recursive pillager that honours an absolute path writes outside its output directory. Sibling to C1 (relative traversal); the absolute targets are pointed at the mounted /canary so the escaping write is detectable (justinsteven 2022 / GHSA-hr3m-4qwq-3mgc corpus, Zac Wang 2026)
D1-HEAD-REF-TRAVERSALInfoMGHSA-hr3m-4qwq-3mgcCrafted .git/HEAD with `ref: ../../canary/<bait>` coerces the pillager into reading a file outside its output directory; the 40-char hex inside that bait file then leaks back to the attacker as object-path GETs (existence oracle + hex-fragment exfiltration, GitHacker <= 1.1.7, Zac Wang 2026)
E1-CVE-2025-48384CVEHCVE-2025-48384Submodule path containing carriage return in .gitmodules; on git clone --recursive, hook is written to attacker-controlled location (in-the-wild exploited 2025; Linux/macOS)
E2-CVE-2024-32002CVEHCVE-2024-32002Submodule with case-insensitive name collision plus symlink writes a hook on git clone --recursive (vulnerable git versions on case-insensitive filesystems)
E3-CVE-2018-11235CVEMCVE-2018-11235Submodule path containing ../ escapes $GIT_DIR/modules, allowing post-checkout hook execution (patched in modern git; tests fall back to PASS)
E4-CVE-2023-29007CVEMCVE-2023-29007Submodule URL >1024 chars injects arbitrary git config sections (core.pager etc.) via 'git submodule sync/deinit' on patched git also blocked; here as regression
E5-CVE-2017-1000117CVEMCVE-2017-1000117Submodule SSH URL of form 'ssh://-oProxyCommand=...' executes attacker command on git clone --recurse-submodules (patched in git ≥ 2.13.5)
F2-LFS-SMUDGECVEMCVE-2021-21300Git LFS smudge filter with case-insensitive name + symlink writes a shell script the git wrapper executes on clone (vulnerable git-lfs versions on case-insensitive filesystems)

§3.Results Summary

PASS rate per tool over the 17-test corpus. Higher is better — a PASS means the tool refused or contained the payload. Best in bold.

Table 5.Per-tool PASS rate across the full adversarial corpus. Best in bold.

ToolVersionPASS / TotalRate
GitHacker1.1.10+local17 / 17100.0%
Tool A15 / 1788.2%
Tool B17 / 17100.0%
Tool C17 / 17100.0%
Tool D16 / 1794.1%
Tool E16 / 1794.1%
Tool F17 / 17100.0%
RCE AFW Info CVE 0 9 17 PASS count (out of 17 tests) GitHacker 5 3 3 6 17/17 Tool A 5 2 2 6 15/17 Tool B 5 3 3 6 17/17 Tool C 5 3 3 6 17/17 Tool D 5 3 2 6 16/17 Tool E 5 3 2 6 16/17 Tool F 5 3 3 6 17/17
Figure 5.PASS counts per tool, segmented by attack category. Darker segments encode higher-severity categories (RCE darkest, Info lightest) so the figure retains comparison under grayscale print.

§4.Per-Test Matrix

PASS / FAIL grid per (test × tool). Every verdict is published; anonymity is enforced only at the tool name (Tool A…F), since the test corpus is already public research.

Table 6.Per-test verdict matrix. PASS = tool resisted the payload; FAIL = exploit succeeded.

TestCat.Sev.GitHackerTool ATool BTool CTool DTool ETool F
A1-FSMONITORRCEHPASSPASSPASSPASSPASSPASSPASS
A2-PAGERRCEMPASSPASSPASSPASSPASSPASSPASS
A3-SMUDGE-FILTERRCEHPASSPASSPASSPASSPASSPASSPASS
A4-DIFF-EXTERNALRCEMPASSPASSPASSPASSPASSPASSPASS
A5-CORE-EDITORRCELPASSPASSPASSPASSPASSPASSPASS
B1-INDEX-TRAVERSALAFWHPASSFAILPASSPASSPASSPASSPASS
C1-HTML-TRAVERSALAFWHPASSPASSPASSPASSPASSPASSPASS
C2-REDIRECT-FILEInfoMPASSPASSPASSPASSPASSPASSPASS
C3-REDIRECT-SSRFInfoLPASSFAILPASSPASSFAILFAILPASS
C4-ABSOLUTE-PATH-WRITEAFWHPASSPASSPASSPASSPASSPASSPASS
D1-HEAD-REF-TRAVERSALInfoMPASSPASSPASSPASSPASSPASSPASS
E1-CVE-2025-48384CVEHPASSPASSPASSPASSPASSPASSPASS
E2-CVE-2024-32002CVEHPASSPASSPASSPASSPASSPASSPASS
E3-CVE-2018-11235CVEMPASSPASSPASSPASSPASSPASSPASS
E4-CVE-2023-29007CVEMPASSPASSPASSPASSPASSPASSPASS
E5-CVE-2017-1000117CVEMPASSPASSPASSPASSPASSPASSPASS
F2-LFS-SMUDGECVEMPASSPASSPASSPASSPASSPASSPASS
"—" means the tool did not produce a verdict for that test (run error or skip), not that the result is withheld.

§5.Disclosure Timeline

Each finding's coordinated-disclosure state, plotted across observation, vendor contact, and patch landing. Findings still under embargo do not appear here until we contact upstream.

May 2026 May 2026 observed reported patched DIS-2026-001 GitHacker DIS-2026-002 Tool C DIS-2026-003 Tool F DIS-2026-004 Tool A DIS-2026-005 Tool C DIS-2026-006 Tool F DIS-2026-007 Tool A DIS-2026-008 Tool D DIS-2026-009 Tool E
Figure 6.Disclosure timeline. Bar spans from first observation to most recent milestone. Markers: ● observed · ▪ reported · ◆ patched.

Table 7.Disclosure tracker. Status terms follow standard coordinated-disclosure stages.

IDTestToolSev.StatusFirst obs.CVE
DIS-2026-001C3-REDIRECT-SSRFGitHackerLpatched2026-05-27
DIS-2026-002A1-FSMONITORTool CHconfirmed2026-05-27
DIS-2026-003A1-FSMONITORTool FHconfirmed2026-05-27
DIS-2026-004B1-INDEX-TRAVERSALTool AHconfirmed2026-05-27
DIS-2026-005B1-INDEX-TRAVERSALTool CHconfirmed2026-05-27
DIS-2026-006B1-INDEX-TRAVERSALTool FHconfirmed2026-05-27
DIS-2026-007C3-REDIRECT-SSRFTool ALconfirmed2026-05-27
DIS-2026-008C3-REDIRECT-SSRFTool DLconfirmed2026-05-27
DIS-2026-009C3-REDIRECT-SSRFTool ELconfirmed2026-05-27

§6.Anonymity Policy

8 findings are currently pre-disclosure. We publish the full verdict matrix and the disclosure tracker, but the affected tool names render asTool A…F until each upstream maintainer is contacted. The mapping is held in this repository's private disclosure tracker and is rotated forward — never reused — once a finding reaches disclosed. GitHacker is never anonymized in either direction.

References

  1. justinsteven.Various abuses of core.fsmonitor in a directory's .git/config. 2022. github.com/justinsteven/advisories
  2. Driver Tom.别想偷我源码:通用的针对源码泄露利用程序的反制. 2021. drivertom.blogspot.com
  3. Git project. Security advisories.github.com/git/git/security/advisories