Git clone — A devil in disguise
So you or your company make this fresh new website, the code has been reviewed for security vulnerabilities and you’re confident it’s the most secure thing you’ve built so far. The passwords in your configuration files are strong and your server has all security patches installed. So what do you do?
root@production# git clone git@git-server.com:company/website.git
root@production# service apache2 startYet within 10 minutes of it being live, someone plunders your database, steals your source code and defaces your brand new website. What happened?! Well, you might want to look at that first command again.
More specifically, the git clone part. What you might have missed is that you just created a hidden directory in your web-root, with all of your source code, configuration files and changes you’ve ever made to your project. We’re talking of course, about the .git directory.
So what? It’s just a directory with a bunch of random binary files, who cares? Well, git does. Git doesn’t just keep track of your code magically, it does it using that exact directory, every line of code you ever wrote on that project is in there. Including any hard-coded password and potential vulnerability you ever created, and it’s there for the entire world to see.
All an attacker needs to do is download it, tell git to put all the files back, and they’ll have full access to all of your source code, not to mention all of the internal email addresses of every developer that worked on that project.
Proof of concept
So how would an attack like this look like from the attackers’ perspective? They would start out by simply probing your website for an exposed .git directory, in the following example I set up my own local web server that was intentionally vulnerable.
Once the attacker knows your website allows requests to the .git directory, they need to mirror the directory itself:
This is where things get scary, the attacker can now list every single file that you’ve ever added to git. A simple git status is more than enough to find out what files you have in store for them:
And now for the part that could ruin your business. Exposing the source code and passwords that are buried within. Simply checking out the files they want to read is enough to expose your source code.
Fixing the problem
Not all is lost, there’s a solution to every problem. There are a few ways to mitigate this, the first would be to simply not have your entire .git folder in your web-root in the first place.
The second way you could fix this is by using a file called .htaccess or your 000-default.conf file, they allow you to configure your web server to treat certain files and directories differently (it can do a lot more than that, but right now that’s not relevant). Simply add the following to prevent any access to your .git directory:
# Prevent access to publicly visisble '.git' directories
<DirectoryMatch "(\.git)">
Deny from all
Options -Indexes
</DirectoryMatch>And that’s it! Hopefully you’ll think twice about cloning your entire project and releasing it, simply following these steps will save you a lot of time and money in the long run.
