In May, I discovered two root privilege escalation vulnerabilities that took advantage of this Git import service. Glitch has now fully removed this service.
This was a fun time. I finally learned about just why there are two separate
lchown functions. And I learned a lot about how
git clone works internally and how it communicates with a “dumb HTTP” type remote server. And not the least of which, I got to play around and see what evil things an attacker with root access could do, the findings from which I’d also like to recount for you after the related issues are fixed.