SHARE

git-folder-exposed

Recently, I read about an innocent mistake committed often by web developers and thought it’d be nice to share it on fossBytes. Developers risk the security of their entire website by exposing their .git folder. This is a recipe for disaster as it keeps all the information at one place. If someone has an access to your .git folder, one can download your entire code repo along with the database passwords, hashes, salts, and the third party API keys, and user data.

Security researcher Jamiem Brown, as a part of his personal project, collected and build a database of about 1.5 million big and respected websites. Most of these websites were trusted news websites, educational, or government domain websites- or they were backlinked by such websites. To his surprise, he found that out of the 1.5 million websites, 2,402 have committed the crime of exposing their .git folder- and thus they were downloadable.

As mentioned above this downloadable .git folder contains all the website information and could be easily used to cause some serious damage. The ratio of vulnerable websites was about 1 in every 600 respected website- i.e. about 0.16 percent, which is a very dangerous amount.

It should also be noted that not every .git repo contains sensitive information. Still, out of the large sample set, many websites were hackable using the .git folder as they contained API keys of Amazon AWS or Google Cloud, FTP details to their own server, the hidden folders, or database backups in .SQL files.

How to check if your .git folder is exposed?

  • All the web developers who use git for their source code management must immediately take a look at http://www.yourdomainname.com/.git/
  • If your .git folder is visible, lock it down immediately!!

How to lock down your .git folder access?

If your .git folder is visible, the ideal way to lock it down is to delete it and look for a better way to deploy your code. Assuming that someone has already downloaded every data, change all the relevant passwords, API keys, hashes or salts.

To prevent your .git folder, you can create a .htaccess file in each .git directory and deny access, but there are ways to make this global by putting it into the main config file.

You can use the following simple and clean way to hide any file or directory (and return 404) whose name begins with .git. If you put it in the root htdocs, it does a global job. Take a look:

RedirectMatch 404 /\.git

The above piece of code can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too. Make sure you verify the access to http://www.yourdomainname.com/.git/ after making this change.

Jamie writes on his blog that this could be the “biggest hole in the internet” right now. Please spread the work among the fellow web developers to make the web a safer place.

Also Read: Project Shield: Google Wants to Protect News and Human Rights Websites from DDOS Attack

Image Source: Stackoverflow

Did you find this information helpful? Tell us your views in comments below.

For more updates and interesting stories from fossBytes, subscribe to our newsletter. [newsletter_signup_form id=1]