DEV Community

Cover image for Don’t make your .git folder publicly accessible, hacker can steal your source code
David Adi Nugroho
David Adi Nugroho

Posted on • Edited on • Originally published at Medium

Don’t make your .git folder publicly accessible, hacker can steal your source code

Have you ever realized the danger of a publicly accessible .git folder?

There are some developers who deploy their app to production using pure git clone method. They clone their app repository from gitlab/github/bitbucket directly to a web-root facing folder on server like /var/www/app/. That makes the .git folder exist in /var/www/app/.git.

If you don’t have proper permission to that .git folder, it will be accessible to the public. Like this:

And then hacker can download your .git folder using:

$ wget -c -r -np -R "index.html*" http://example.com/.git
Enter fullscreen mode Exit fullscreen mode

After downloaded, it’s just an empty folder with .git folder on it. It also has all commit history.

Hacker can reset to latest commit to restore the source code files.

$ git reset --hard HEAD
Enter fullscreen mode Exit fullscreen mode

And boom, your source code is leaked!


Here is how to mitigate it:

Add/edit your .htaccess file to make the .git folder hidden

RewriteEngine on  
RewriteRule .*\.git/.* - [404]
Enter fullscreen mode Exit fullscreen mode

Why use 404 not found instead of 403 forbidden?

Hacker doesn’t even know if the .git folder exists, it’s 404. But if it’s 403 forbidden, hacker knows there is .git folder, only not accessible.


Hope it helps.
Salam.

Top comments (7)

Collapse
 
tobiassn profile image
Tobias SN

The way you’re deploying, your source code is gonna be leaked anyway, as there is no build step.

Collapse
 
abdelrahmanahmed profile image
Wahdan

Pushing .git folder from the beginning is totally wrong, there should be a build process when you deploy your app

Collapse
 
nuculabs_dev profile image
Nucu Labs

Well, it depends, if you're using an app written in Python you need to deploy the source code.

Collapse
 
sergix profile image
Peyton McGinnis

In the case of Python you should containerize and deploy your app.

Collapse
 
hoangleitvn profile image
Hoang Le

You are cloning repo on your app server? If so, DevOps is needed instead of this

Collapse
 
craigmc08 profile image
Craig McIlwrath

So instead of creating a better build/release process, just stitch a thin patch over a gaping hole?

Collapse
 
sergix profile image
Peyton McGinnis

I don't think this is an ideal setup... I mean I totally understand the danger here, but you really should not be deploying this way at all.