top | item 45711902

(no title)

Beware of using this to publish static sites: you can accidentally expose your .git directory to the public internet.

I got pwned this way before (by a pentester fortunately). I had to configure Apache to block the .git directory.

discuss

jonhohle|4 months ago

Instead of excluding non-public directories, I like to make an explicit `public` directory (or `doc`, `doc-root`, whatever you want to call it). Then configure your server to point to that subdirectory and don’t worry about the repo.

I usually throw `etc` and `log` directories at the top level as well and out my server config in etc, and have a gitignite rule to ignore everything in logs, but it’s there and ready for painless deployment.

Since the web root is already a sub directory, more sensitive things can go into the same repo without worrying about exposing them.

wizzwizz4|4 months ago

Storing volatile data (e.g. logs) in the git-managed directory is an excellent way to lose all your data. https://fediverse.blog/~/Prismo/on-prismo-data-loss

cesnja|4 months ago

You can still get hit by a path traversal exploit. The safest option is to only have the public files on the server.

kragen|4 months ago

I expose my .git directory to the public internet on purpose. If I don't, how will anyone else clone the repo?

CGamesPlay|4 months ago

But what, exactly, was pwned? Did you have secrets in the git repo?

tangotaylor|4 months ago

No secrets like auth credentials or tokens but:

- Deleted files and development artifacts that were never meant to go public.

- My name and email address.

- Cringy commit messages.

I assumed these commits and their metadata would be private.

It was embarrassing. I was in high school, I was a noob.

tasuki|4 months ago

I expose the .git directories on my web server and never considered it a problem. I also expose them on GitHub and didn't consider that a problem either...