Unprotected Git directory
Unauthorized people may have access to your Git
-directory
Details:
To develop the program code of a store system while keeping track of it, many developers use version control systems such as Git. To allow changes to the program code to be tracked and reverted, and to allow teams to work in parallel on development, Git stores metadata in a special directory .git
within the program directory. The files in it contain a complete copy of your store's program code. This allows an attacker to find vulnerabilities in the programming to break into your store or spy on your customers. In addition, the store installation directory often contains direct access data, e.g. to the store database or to external systems such as merchandise management or a customer support platform. To prevent attackers from gaining access to these areas, reading out data, manipulating it or performing unauthorized actions in it, the .git
directory must be carefully secured.
Solution
The possible safeguards against this security risk must prevent access to the .git
directory and the files it contains. You can do this as follows.
Do not place the directory on the web server
Do not place the .git
directory on the cluster or delete it immediately after a deployment. The directory is only necessary if you want to actively work with the version control system, e.g. make updates to it from the server. We recommend to work actively only on staging or development environments instead. This way you can do without the .git
directory on your production cluster.
Preventing access to the .git
directory
If you cannot do without the directory, access to it must be prevented via the web server. Depending on the active web server, access protection can be implemented as follows:
Example: Apache
When using Apache, .git
directories can be protected via the .htaccess
configuration file. This protection applies to the directory in which the file is located as well as to all directories below it. Edit an existing .htaccess
file in the htdocs
directory or create the file if it does not exist. Then add - preferably at the beginning - the following lines.
# Block access to directories named ".git".
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (^|/)\.git/ - [F,L]
</IfModule>
Example: NGINX
When using NGINX, the protection must be built into the configuration of the affected domain. For this, use our application templates for Magento 1, Magento 2 or Shopware, in which the protection of .git
directories is already integrated.
Alternatively, you can add the following line to userdefined.conf
via the rule editor of the affected domain.
# block access to directories named ".git
location ~* /\.git/ { return 403; }
Further recommended actions
- Protect also the directories of the version control system Subversion as well as the MacOS files
.DS_Store
from unauthorized access. - Protect folders with log files (for Magento
var/log
) as well as configuration files (for Magentoapp/etc
). When using Apache this is normally already preset by the installation of your store system. - When using Apache, check in an existing
.htaccess
file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves.htaccess
files can be contained. - When using NGINX, use our application templates, which already protect many application specific folders and files.
.git
outside the root directory: Git allows to store the.git
directory also outside the root directory. When using Git commands, the parameter--git-dir=<directory>
must then be specified or the environment variableGIT_DIR
must be set accordingly. While the absence of the--git-dir
parameter leads to a harmless error message, the incorrect setting of the environment variable can lead to unwanted changes in the projects and the files under version control when working on different Git projects. This variant is therefore only suitable for experienced development teams with defined working methods.