This is how youtube-dl ended up inside the github/dmca repo.
I understand the situation in the OP, but why is this happening?
Edit: ah, someone forked that repo and pushed the full source. It is the same situation as the OP.
That’s part of the reason why I migrated HardenedBSD to self-host its git server. A few of the other reasons:
Do you run any frontend for git like cgit, gitea or gitlab or the likes? Or just plain old git, ssh and email?
We use Gitea: https://git-01.md.hardenedbsd.org/
Pretty cool, and I’m sure some day once this “low impact” issue has been long forgotten, someone will be able to execute an actual hack with this.
If only we’d trained people to curl random files from the internet that look vaguely sane from the URL, and pipe them straight into a root shell to execute commands 🤔
This however is an actual and my only Linux kernel commit : https://github.com/torvalds/linux/commit/b7b1d645bb7a3dab4be9d4114cbe319b67a45c01#diff-e1c95aa5c1a33cdd6bd89a7ce910d4b2 - no trickery involved and I’m proud of it!