In a recent blog article, Jamie Brown, a developer, revealed that in a crawl of 1.5 million websites, he found that 1 in 600 are exposing the .git folder, which in some cases contains sensitive information.
I’m sure you’re all aware of this, but for those who aren’t, Git is an extremely popular version control system first developed by Linus Torvalds for Linux development, and propelled to stratospheric popularity because of its integration with GitHub, the cloud version control system of choice for many open source projects.
Git saves all changes made to a repository locally, in a folder called .git. That allows it to quickly roll-back any changes made to a project — one of the key reasons developers use version control. Git repositories often contain a lot of information that isn’t intended for public consumption. They’re the messy workshop of development, and aren’t intended for general access.
Occasionally, sensitive information ends up in the .git folder. That can be API authentication data, database content, or just files that shouldn’t see the light of day. In an ideal world, nothing sensitive would be put in version control in the first place, but like I said, development is messy and projects with private version control repositories often don’t see the risk.
If they must have sensitive data in the repo, they should absolutely make sure that the .git folder isn’t uploaded to their production server! And in the unfortunate event that it is, it’s not difficult to have web servers configured to exclude browsers from taking a peek. There are several failures of best practice required to make a publicly accessible .git folder a possibility.
A significant risk of putting sensitive information in version control is that an audit of the code itself may not find the problem. Because version control keeps a record of all changes to files, including information that is deleted, a developer could audit a project’s visible files for risks, and find nothing, but still end up with sensitive data in the .git folder, and on the web server.
And in case you think this is just an amusing bit of ineptitude, the consequences can be quite severe. Brown discovered one human rights organisation that was displaying a complete list of everyone who signed up to a gay rights campaign in a CSV file in their .git folder. A company who made money selling digital reports had all of their reports exposed in .git. Add to that the hundreds of AWS credentials, database passwords, SQL backups, and FTP passwords of the site in question.
The moral of the story is this: be careful what you put in version control, even if it is a private repository, and be especially careful what you upload to your web server.