假设我有提交哈希但我没有任何权限访问 git 存储库,是否有可能获得提交的时间?
如何做到这一点?
根据 this answer ,提交哈希值包含完成日期和时间。
例子:
1484e89060b2043be0b71209bacc2254161f1a8f
制作于 Wed Sep 3 09:30:59 2014 +0300
。
最佳答案
如“Are there any dangers in exposing git sha1 commit hashes?”中所述:
There is absolutely no way you can correlate the SHA 1 hash of a git commit to the actual contents of the commit.
Though SHA-1 is nominally one-way, this would theoretically allow an attacker, who wants to guess the contents of an object, to verify whether his guess is correct or not.
This would entail guessing exactly, down to the last bit, including time stamps and other similar things.
因此,如果您无法访问完整的 git 存储库,那似乎是不可能的。
如 this thread 中所述,您唯一可以使用 SHA1 做的就是找到具有相同 SHA1 的内容:
The term "reverse" is not the right word to use.
What is meant is that you can generate another input for which the SHA1 output matches your other SHA1 output. This is because SHA1 has collisions.So "
foo
" could hash to 1 and "bar
" could hash to 1 also.
It doesn't mean 1 meansfoo
, but it means if your password isfoo
,bar
works too when hashed and compared against a stored hash.If the original input is not very short, it's extremely unlikely that an input with the same SHA-1 hash could be found.
These attacks work because the passwords are weak and SHA-1 is fast to compute, not due to any weakness of SHA-1 as a cryptographic hash function.
注意:那个(找到具有相同 SHA1 的内容)实际上是什么项目 bradfitz/gitbrute确实(为了“有趣”)
gitbrute
brute-forces a pair of author+committer timestamps such that the resulting git commit has your desired prefix.It will find the most recent time that satisfies your prefix.
关于git - 是否可以在知道提交哈希但无法访问存储库的情况下获取提交的时间/日期?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25642821/