The latest articles on Forem by David Adi Nugroho (@lakuapik). https://forem.com/lakuapik https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F91339%2F1236026d-a5bf-4174-b80e-e00720b2df11.png https://forem.com/lakuapik en David Adi Nugroho Wed, 15 Apr 2020 12:04:23 +0000 https://forem.com/lakuapik/don-t-make-your-git-folder-publicly-accessible-hacker-can-steal-your-source-code-41nh https://forem.com/lakuapik/don-t-make-your-git-folder-publicly-accessible-hacker-can-steal-your-source-code-41nh <p>Have you ever realized the danger of a publicly accessible .git folder?</p> <p>There are some developers who deploy their app to production using pure <strong>git clone</strong> method. They clone their app repository from gitlab/github/bitbucket directly to a web-root facing folder on server like /var/www/app/. That makes the .git folder exist in /var/www/app/.git.</p> <p>If you don’t have proper permission to that .git folder, it will be accessible to the public. Like this:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--jmzrGMYt--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/996/1%2AjOflET0r-jSjdEoRGV1MOA.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--jmzrGMYt--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/996/1%2AjOflET0r-jSjdEoRGV1MOA.png" width="498" height="566"></a></p> <p>And then hacker can download your .git folder using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>wget <span class="nt">-c</span> <span class="nt">-r</span> <span class="nt">-np</span> <span class="nt">-R</span> <span class="s2">"index.html*"</span> http://example.com/.git </code></pre> </div> <p>After downloaded, it’s just an empty folder with .git folder on it. It also has all commit history.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--PWBHt-Um--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/1268/1%2AxWZYs1xTHuNW12RqsV7JhQ.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--PWBHt-Um--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/1268/1%2AxWZYs1xTHuNW12RqsV7JhQ.png" width="634" height="150"></a></p> <p>Hacker can reset to latest commit to restore the source code files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git reset <span class="nt">--hard</span> HEAD </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--2fZT0Y8B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/1136/1%2ASxfmb1fbf6aS0z0NEc8RqQ.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--2fZT0Y8B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/1136/1%2ASxfmb1fbf6aS0z0NEc8RqQ.png" width="568" height="173"></a></p> <p>And boom, your source code is leaked!</p> <h1> Here is how to mitigate it: </h1> <p>Add/edit your .htaccess file to make the .git folder hidden<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>RewriteEngine on RewriteRule .*\.git/.* - [404] </code></pre> </div> <p>Why use 404 not found instead of 403 forbidden?<br><br> Hacker doesn’t even know if the .git folder exists, it’s 404. But if it’s 403 forbidden, hacker knows there is .git folder, only not accessible.</p> <p>Hope it helps.<br> Salam.</p> git security devops