From the email reporter@repo-lookout.org I received a notification that my project has /.git/HEAD in the public part of the website, I don’t see anything sensitive in it, only numbers and notes of commits, but there are also directories like /.git/config in which also nothing very interesting is not only information about branches but there is also something like /.git/object/ with some kind of coded content.
My question: Is it really dangerous and can a potential attacker somehow decode the encoded text and read the source codes and sensitive information?
It is important that I add something like this to my htaccess:
You should generally disable access to hidden files and .git in Apache/Nginx configuration to stop people downloading them. The amount of people I find trying to get .git/config from my webserver is unbelievable. Other requests as well.
There are plenty of example of how to do this just by searching with google or your preferred search engine.
Well, I’d like to know what’s wrong with someone downloading it and if they can get the source codes?
No matter how I google, the general sentence that you wrote to me is written everywhere, but no one knows why “he should not be in a public place”.
I need to verify that the source code can actually be obtained to know if anyone has it now, I have passwords in the code because I can’t run any vault yet.
So for security reasons to stop people cloning your code, and if .git/config is accessible, they could get your auth token to then have access to a private repository and download the code, or even upload stuff if the auth token wasn’t restricted.
If they have downloaded the code, then as you know they have access to your passwords because you committed it to the code. So that is an obvious reason as to not allow access to .git on your webserver and all the files underneath it.
Since yours has been confimed as being accessible you will now need to change all your passwords and restrict access because someone might have already cloned your repository. But we have no way of confirming that. You can check through all your log files on your server to see if any clones have been made. You have to assume that someone could have cloned it, and change all passwords, tokens, etc.