## Description: 

When a repo is forked, commits made to the forked repo are able to be fetched from the original repo.  This is not normally an issue as these commits do not have a way to be discovered as they are not normally associated with a tag or branch.

The issue is that when someone submits a change to a submodule that references the original repo, there is no verification that the commit is authored/authorized by the original repo, and a third part is able to "inject" code into the original repo w/o write/push access, and get a third party to think that their [possibly] malicious code was authored by that original repo.

## Steps To Reproduce:

Three accounts are used, they are:
comproj: This is the user that hosts a repository that is going to be compromised by this attack
upstream123: This is the user who hosts a dependancy of comproj that will be used.
maliciousrepo: This is the user the will "inject" code into the dependancy and issue a pull request to comproj.

1. Create three accounts, listed above.
1. Have user upstream123 create a repository, such as: https://github.com/upstream123/depproj
1. Add some code to the depproj repo.
1. Have user comproj create a repository, such as: https://github.com/comproj/proj
1. Checkout proj, and add depproj as a repo:
   ```
   git submodule add https://github.com/upstream123/depproj.git depproj
   git commit
   git push -u origin main
   ```
1. As the user maliciousrepo, fork depproj, and make a change.  Make note
   of this commit id, as it will be used later.
1. Push the change above to github.
1. Fork the proj to be attacked, and clone it as a local user.
   ```
   git clone https://github.com/maliciousrepo/proj malproj
   git submodule update --init
   ```
1. Update the submodule to the malicous code using the commit id noted earlier
   ```
   cd depproj
   git fetch origin  <commitid>
   git checkout <commitid>
   cd ..
   git commit -a
   ```
   Note that even though the submodule points at upstream123, the above command
   pulled code from maliciousrepo's fork despite maliciousrepo not having write
   access to the upstream repo.
1. Push the changes to github, and create a pull request.
1. Have user comproj review the pull request, and see that it only changes the
   commit, and not the repo that it points to.  The user can now accept the pull
   request thinking that the code pulled is coming from upstream123, but actually
   the code came from maliciousrepo.