Storing Git’s repository directory – the .git directory – in a publicly accessible area of a website may expose sensitive information that bad actors can use to steal data or compromise the site.

Git is a version control system and a major part of many development workflows. WordPress and Magento developers use Git to version control code and to collaborate on its development. Git itself is secure, but developers can cause security issues if they aren’t careful where version controlled code is stored.

In a recent survey of many millions of domains, security researcher Vladimír Smitka shows just how prevalent this misuse of Git is. After scanning more than 230 million domains, Smitka discovered 40,000 WordPress sites, 4,000 WooCommerce sites, and 2,000 with exposed .git directories.

Why Are Exposed Git Directories Bad For Security?

The .git folder contains records of every change made to a site’s code. That information is useful to bad actors looking for clues about vulnerabilities in the site. Information about how code is structured, which libraries are used and their versions, API endpoints, and other details about the site can be used by bad actors to develop a plan of attack. Ordinarily, this information is difficult to find, but an exposed .git repo makes life much easier for bad actors.

This situation is made worse if developers version control sensitive information such as database passwords and API keys. Sensitive data should never be stored in version control systems that are accessible to the public – in fact, they should not be stored in version control at all. Unfortunately, many developers do store sensitive information in Git repositories. If they also have .git in their web server’s public directory, the whole world can access them.

Does Your Site Serve A Git Repository To Visitors?

As Smitka points out, the straightforward method for finding a .git repository often doesn’t work. If a developer tries to visit https://example.com/.git they may receive a 403 error even if there is an exposed repository. The error is caused by a missing index.html file and configuration that denies directory listing.

However, a bad actor could visit https://example.com/.git/HEAD and, with a little trouble, access the sensitive information they want.

Mitigating The Problem

The best solution is the simplest. Don’t put sensitive data in Git repositories. Don’t keep .git in directories that are served by your web server. If you have decided that you need to keep version control information in a directory that would by default be publicly accessible, you can block access with a rule in the site’s .htaccess file.

There are various ways to block access to the .git directory, but Smitka has created a simple .htaccess rule that works well for Apache 2.4:

<Directory ~ "/.(?!well-known/)">
 Require all denied
</Directory>

This rule blocks access to all dot directories except .well-known, which is often used to provide site metadata to web clients. You will find a version suitable for Apache 2.2 here.

Posted in:
Security