If you are an adventurous sort (and can handle a potential reboot) I invite you to clone this tiny repo:
$ git clone https://github.com/Katee/git-bomb.git
Were you able to clone it? Unless you have quite a lot of memory (both RAM and storage) git was killed, ran out of memory, or you had to reboot. Why is this? It is a perfectly formed repo made of only 12 objects.
How does a tiny repo cause git to run out of memory? The secret is that git de-duplicates “blobs” (which are used to store files) to make repositories smaller and allow using the same blob when a file remains unchanged between commits. Git also allows de-duplication of “tree” objects (which define the directory structure in a repository).
git-bomb tries to make a billion files, however it only has 10 references to the file blob and only has 10 tree objects in all.
This is extremely similar to the “billion laughs” (aka “XML bomb”) hence the name “git bomb”.
At the bottom there is a file blob containing “one laugh”:
$ git show 5faa3895522087022ba6fc9e64b02653bd7c4283 one laugh
There is one tree object that refers to this blob 10 times
$ git ls-tree 6961ae061a9b89b91162c00d55425b39a19c9f90 100644 blob 5faa3895522087022ba6fc9e64b02653bd7c4283 f0 100644 blob 5faa3895522087022ba6fc9e64b02653bd7c4283 f1 # … snipped 100644 blob 5faa3895522087022ba6fc9e64b02653bd7c4283 f9
Then 9 layers of tree objects that refer to the tree object below them (here is the top tree object):
$ git ls-tree 106d3b1c00034193bbe91194eb8a90fc45006377 040000 tree 8d106ebc17b2de80acefd454825d394b9bc47fe6 d0 040000 tree 8d106ebc17b2de80acefd454825d394b9bc47fe6 d1 # … snipped 040000 tree 8d106ebc17b2de80acefd454825d394b9bc47fe6 d9
The master ref just points to the top-most tree object:
$ git log --pretty=format:"%s | tree: %T" Create a git bomb | tree: 106d3b1c00034193bbe91194eb8a90fc45006377
Trying to interact with this repo using anything that has to walk the tree (
git checkout) runs into memory issues because git builds the tree in memory before writing files to disk. That means the process is killed instead of filling up your disk space.
Here is a slightly different version of the same idea. This repo has 15,000 nested tree objects. On my laptop this ends up blowing up the stack and causing a segfault.
$ git clone https://github.com/Katee/git-bomb-segfault.git
If you’d like to make your own git bombs read the next post Making Your Own Git Bombs.
2017-10-11: Got a go-ahead from Github on Hackerone to post this.
2017-10-12: Was awarded a bounty by Github on Hackerone.
2017-10-12: This post was on the front page of Hacker News and received comments.
2017-10-13: There is a discussion of this on the git mailing list. It includes a mention of a repo of this nature being uploaded to Github in 2014.
2017-10-14: CVE-2017-15298 💫
2017-10-15: Josh Lee uploaded a similar repo to GitHub long before me and even gave it a very similar name! The actual repo is disabled, and he never wrote about it publicly.
Thank you Wesley for pairing on many weird git repos. He is currently looking for a job, and I can say from experience pairing with him is fantastic. If you are hiring get in touch with him firstname.lastname@example.org.