PSA: Hide your .git/config directory

Published on by

PSA: Hide your .git/config directory image

A lot of developers have horror stories about doing stupid things that cause security issues. A few years ago I was creating an open source app and accidentally committed and pushed up a config file containing my email login and password. It went completely unnoticed until a very nice guy emailed me and told me what I had done. Still to this day I have that weird feeling in my stomach when thinking about it. Major fail!

Of course, uploading sensitive information has been a problem for years and The Guardian ran a story back in 2013 about people using the Github search to find private ssh keys.

Another common security issue is exposing your .git directory on your public sites. Jamie Brown writes that out of 1.5m sites he analyzed, 2,402 have their .git folder exposed and downloadable.

The blog python sweetness wrote in 2013:

According to a quick gevent script, >0.7% of the first 100,000 sites from Alexa’s top 1 million sites are serving their .git directories to the outside world.

The recommended and safest way to deploy apps is to have the document root be a /public directory with all the dot files outside of this so they are not directly accessible from the web. Most frameworks including Laravel are setup this way. But a lot of downloadable apps are not. WordPress is just one example where everything runs from one directory and if you are using it with Git it’s easy to make the mistake of pushing the .git directory to a publicly viewable location.

Chris Cornutt, writer for PHPDeveloper, today tweeted about a package named greedy-git which can be used to analyse remote .git files and find private information from them. With this it’s really easy for someone to find anything private stored in this directory.

Jamie says that:

Some of these .git repositories are harmless, but from a random sample many contain dangerous information that provides a direct vector to attack the site. Hundreds listed database passwords, or included API keys for services such as Amazon AWS or Google Cloud. Others included FTP details to their own web server. Many contained database backups in .SQL files, or the contents of hidden folders that are meant to be restricted.

This appears to be a widespread problem, but the fix is easy. Here are two examples for hiding this directory on nginx and apache:

Nginx:

location ~ /\.git {
deny all;
}

Apache .htaccess:

RedirectMatch 404 /\.git

If your .git directory has been exposed Jamie recommends you assume that someone has downloaded everything already and work out what they could have seen.


Resources used in this post:

Eric L. Barnes photo

Eric is the creator of Laravel News and has been covering Laravel since 2012.

Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

image
DocuWriter.ai

Save hours of manually writing Code Documentation, Comments & DocBlocks, Test suites and Refactoring.

Visit DocuWriter.ai
Laravel Forge logo

Laravel Forge

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Forge
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $7500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Bacancy logo

Bacancy

Supercharge your project with a seasoned Laravel developer with 4-6 years of experience for just $2500/month. Get 160 hours of dedicated expertise & a risk-free 15-day trial. Schedule a call now!

Bacancy
LoadForge logo

LoadForge

Easy, affordable load testing and stress tests for websites, APIs and databases.

LoadForge
Paragraph logo

Paragraph

Manage your Laravel app as if it was a CMS – edit any text on any page or in any email without touching Blade or language files.

Paragraph
Lucky Media logo

Lucky Media

Bespoke software solutions built for your business. We ♥ Laravel

Lucky Media
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce
DocuWriter.ai logo

DocuWriter.ai

Save hours of manually writing Code Documentation, Comments & DocBlocks, Test suites and Refactoring.

DocuWriter.ai
Rector logo

Rector

Your partner for seamless Laravel upgrades, cutting costs, and accelerating innovation for successful companies

Rector

The latest

View all →
Generate Code Coverage in Laravel With PCOV image

Generate Code Coverage in Laravel With PCOV

Read article
Non-backed Enums in Database Queries and a withSchedule() bootstrap method in Laravel 11.1 image

Non-backed Enums in Database Queries and a withSchedule() bootstrap method in Laravel 11.1

Read article
Laravel Pint --bail Flag image

Laravel Pint --bail Flag

Read article
Laravel Herd for Windows is now released! image

Laravel Herd for Windows is now released!

Read article
The Laravel Worldwide Meetup is Today image

The Laravel Worldwide Meetup is Today

Read article
Cache Routes with Cloudflare in Laravel image

Cache Routes with Cloudflare in Laravel

Read article