GIT code and configuration disclosure

More and more webapplications and websites are being automatically deployed, integrated in the development process. Within the continous integration / deployment process it is common to use systems like git and svn.

Git has the .git folder containing the scripts, sourcecode, configuration files, metadata and history. When these files are public available (copied to the webapplication folders, incorrect authorization or configuration), everyone is able to download the complete repository, including commit messages.

You can test if the repository has been deployed by testing for the availability of the file /.git/config. If you will get a response containing the configuration of the repository, you are at risk of having the complete repository being downloadable (including commit messages, history, configurations).

On some occasions you can just easily clone the git repositories (depending on webserver configuration), for other occasions I’ve created a python script that will download the files it has access to.

/.git/config (contains the different branches and origins)
/.git/index (contains the git index)
/.git/HEAD (contains the current reference to HEAD)
/.git/packed-refs (contains the references to the packed archives)
/.git/logs/HEAD (contains all commit messages)

The key file is the /.git/ORIG_HEAD. That file contains the SHA1 address of the commit parent. From this file you can enumerate through all objects.

/.git/objects/{first two chars sha1}/{next chars of sha1}
u = requests.get(base + ‘/objects/’ + objh[:2] + ‘/’ + objh[2:])  

The file is zlib compressed and the first 4 bytes contains the item identifier.

db =  zlib.decompress(body)  

This can be:

  • blob (a file)
  • comm (a commit), commit information and reference to tree
  • tree (a tree), reference to the files and references to objects in the tree

Git has the habbit to create packed files of older objects now an then.

As an example you can see boost.org. This website is a clone of a public github repository, so in this case it is in purpose, or it cannot do any harm.

http://www.boost.org/.git/config
http://www.boost.org/.git/logs/HEAD
http://www.boost.org/.git/index

Easy fix

You can fix this issue by configuring your webservers to not serve hidden files or to prevent deployment of these hidden files.

Using .svn about the same can be done, by testing for /.svn/entries.