Home/ Questions/Q 6861791
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T02:34:50+00:00

I’m using git and Codebase for a project. I just did a test and

  • 0

I’m using git and Codebase for a project.

I just did a test and I’m able to commit to the git repository with a different email address and name set which causes it to tag the commit as being by a different user. I pushed this to the repository and it showed up as that user having committed even though it was me.

Is there a way to prevent users from committing or pushing with someone else’s user details (effectively so they can’t “forge” commits as being from a different user)?

Edit:

I assume this authentication would need to happen at the stage of pushing commits to the server since in the local working copy it’s simply a repository which the user has full access to, to do whatever they want with. Is this therefore something I should ask Codebase about maybe?

Edit 2:

Git config as requested:

(repo/.git/config)

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
[remote "origin"]
    fetch = +refs/heads/*:refs/remotes/origin/*
    url = git@codebasehq.com:<redacted company name>/<redacted project name>/test.git
[branch "master"]
    remote = origin
    merge = refs/heads/master
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ooops: While this is a valid technique, it assumes you have effectively full control over the server. If you’re using a hosted solution all bets are off.

    You can validate the author name and email in the repository’s update hook. You can get both values like this:

    #!/bin/sh
set -- refname sha1_old sha1_new
author_name=$(git log --pretty=format:%an $sha1_new)
author_email=$(git log --pretty=format:%ae $sha1_new)

    The trick, of course, is figuring out whether or not these are valid. Here’s one trick:

    You can use the command="" option in your ssh configuration to make a wrapper around git-receive-pack that maps ssh keys to author information. For example, something like this:

    #!/bin/sh

GV_AUTHOR_NAME="$1"
GV_AUTHOR_EMAIL="$2"

export GV_AUTHOR_EMAIL GV_AUTHOR_NAME
eval exec $SSH_ORIGINAL_COMMAND

    And you would use an authorized_keys line something like this:

    command="~/bin/gitvalidator 'Lars Kellogg-Stedman' 'lars@seas.harvard.edu'" ssh-rsa ...

    The result of all this is that your update script would have the environment variables GV_AUTHOR_NAME and GV_AUTHOR_EMAIL available, and could check these against the commit and exit with an error if they didn’t match.

    • 0