Git Token

[l0ners]

Hello,
I would like to use git token,because they look similar, but they don't seem to have the same principles.
Please advise

[jayjb]

Hi @l0ners,

A git token would be great, but we haven't had much of a request for it. If you have any idea to achieve one, we would totally love a PR. Otherwise we can chat it out here and hopefully come up with something.

[jgrumboe]

Could such a token be achivied with a post-checkout git hook? https://git-scm.com/docs/githooks#_post_checkout
Thinking of scripts for each OS family (Linux, Windows, MacOS) doing a simple DNS lookup of a canarytoken.

[ChlorideCull]

It's 2023, and while git is in general very good at not running code or requesting URLs without the explicit consent of the user, you can surprise an attacker by using a blobless clone, and then baiting them with a nice message of a commit that hasn't been pulled down yet - say "Added AWS integration", for example. If you then run git checkout to get the commit, which usually doesn't require network access, you will try to get the data from the server, which can be used for a canary token.

But, fundamentally, the reason an SVN token works is because SVN needs to talk with the server for everything - Git is designed to work without a server, so getting it to talk to one without the user intending to is, and always will be, a pain.