+ |
The most complete workaround is to disable credential helpers |
+ |
altogether: |
+ |
|
+ |
git config --unset credential.helper |
+ |
git config --global --unset credential.helper |
+ |
git config --system --unset credential.helper |
+ |
|
+ |
An alternative is to avoid malicious URLs: |
+ |
1. Examine the hostname and username portion of URLs fed to git clone |
+ |
for the presence of encoded newlines (%0a) or evidence of credential- |
+ |
protocol injections (e.g., host=github.com) |
+ |
2. Avoid using submodules with untrusted repositories (don't use clone |
+ |
--recurse-submodules; use git submodule update only after examining the |
+ |
URLs found in .gitmodules) |
+ |
3. Avoid tools which may run git clone on untrusted URLs under the hood |