Hide Git Repos on Public Sites

Don’t provide would-be hackers with your source code!

If you use git to manage projects, you should be careful about publicly disclosing your repo – this would give would-be hackers access to your entire source code.

You should never include configuration or other sensitive files in version control for security reasons – gitignore is there for a reason.

Even if you keep sensitive files outside your git repo, it’s still important to restrict access to the .git directory for public-facing projects.

If your git directory is available, it would be simple for would-be hackers to:

  • Download the .git directory (using a tool like wget)
  • Run git commands on the downloaded repo

I’ve tested this locally (on a test site) and it took no more than a few minutes to get full access to all the code contained in a downloaded git repo.

Even if you don’t have config files included, how do you feel about a complete stranger having full access to your source code? You might be happy enough, but bear in mind you are allowing potential attackers to go through your work with a fine-tooth-comb looking for vulnerabilites.

It’s one thing to consciously share a project on Github – it’s quite another to inadvertently give public access to potentially sensitive data.

Am I Vulnerable?

Enter ‘http://site.com/project-path/.git/config’ in your browser URL bar, where ‘project-path’ is the path to your version controlled directory. If you see something like this:

[core]
   repositoryformatversion = 0
   filemode = true
   bare = false
   logallrefupdates = true
[remote "origin"]
   url = git@bitbucket.org:UserName/your-repo.git
   fetch = +refs/heads/*:refs/remotes/origin/*

…you need to take action!

You could move your .git directory outside the document root, so that it is not publicly accessible. This is quite a good solution, though I have found it a bit fiddly when a project uses git submodules.

Another alternative is to selectively block public access to all files under the .git directory.

Apache Fix

If your site is served by Apache, and you have access to Apache config files, there is a very simple way of preventing access to git files.

Open /etc/apache2/conf-enabled/security.conf for editing:

sudo nano /etc/apache2/conf-enabled/security.conf

You will see the following block:


# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>

Amend this to:



# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>

Save (ctrl + o) and exit (ctrl + x) and restart apache:

sudo service apache2 restart

Now try accessing the .git/config file. You should see something like this:

Forbidden
You don't have permission to access /wp-content/themes/david/.git/config on this server.

If you DO NOT have access to Apache config files, add these lines to a .htaccess file in your project root:



# ==================================================================
# Prevent .git access
# ==================================================================

RedirectMatch 404 /\.git

It is also a good idea to disable directory indexing – which can be done either as part of Apache config, or by adding the following to your .htaccess file:



# ==================================================================
# DISABLE DIRECTORY BROWSING
# (probably not needed due to empty index files in directories)
# ==================================================================

Options All -Indexes
Options +FollowSymLinks