Default to not accepting the creation of . prefixed folders?

[consideRatio]

I think having nbgitpuller create folders prefixed with . isn't relevant enough to be enabled by default for securiyt reasons. I think its a relatively easy way to create exploits if someone is baited to clicking a malicious nbgitpuller link.

Should we add configuration to make it disabled by default, forcing it to be made opt-in?

[mathbunnyru]

I'm so sorry, I haven't used nbgitpuller, can it create files in the home dir?

For example, can it create .bashrc in the /home/jovyan/?
Unfortunately, .bashrc might be sometimes missing in our images (because of mounting volumes and user renaming), so if this file can be created by nbgitpuller, it makes this vulnerability even worse.

[consideRatio]

It can't i think initialize a file directly, but folders can be initialized with files in it.

[manics]

Also worth noting that targetPath can be set to an arbitrary absolute or relative path, overriding the default git folder name, and allowing creation of directories outside the working directory. If for example you mounted an new empty volume to /home/jovyan, you could set targetPath=/home/jovyan.

[mathbunnyru]

Also worth noting that targetPath can be set to an arbitrary absolute or relative path, overriding the default git folder name, and allowing creation of directories outside the working directory. If for example you mounted an new empty volume to /home/jovyan, you could set targetPath=/home/jovyan.

That's really unfortunate because this sounds even more dangerous now.