I'm sure this happens to everyone sometimes. You accidentally pushed a file with secrets or a password that shouldn't have gotten into the Git hist...
For further actions, you may consider blocking this person and/or reporting abuse
This is the most succinct and direct guide I've ever read on this issue!. Thank you so much! I have to save this now for future reference.
Glad it helped 💖
Thanks Chris! This saves me from future troubles.
Good article - you should add a paragraph about needing to rotate the secrets that were checked since they have now been publicly exposed (albeit briefly)
I've added a small note for that :)
Forgot it in the initial draft.
I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do
git log --all --grep='.env'
, then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.
Wow, nice catch Drishit!
Didn't think that far ahead to be honest!
So well done on exposing this, def worth while fixing that as well.
I guess, we should take into account the affected commits will change their SHA it will cause conflicts with already cloned repositories, doesn’t it?
Good question actually!
Not to sure how it behaves on cloned repo's.
Oh this will mess up the history of the repo real good and anybody who tries to pull force-pushed commits will get errors. But if anyone is pushing secrets to a central branch that a team is pulling from, that team has bigger problems anyway.
The solution that I have in picture is just notify the team to wait for the fix then do the “pull —force”, because as you said it’s an important security fix then all will be sync and can work.
Unfortunately things like this (maybe not a .env file) but a hardcoded secret perhaps? might ever be committed and even pass a PR.
Mistakes are human, and agree once this happens you should notify the team and work on getting this sorted right away and make sure everyone is up to date in source again.
brew install bfg
As long as a repo is private or local, a .env file could be commit into the repo.
I would also urge to not do that.
What happens when you decide to introduce someone else, sell the project or code gets leaked?
Perfect, I've been looking for this my entire life. 😭
Glad it helps Mohmed! 🎉
Nice article as usual Chris! 👏
Have you thought about linking all the Git articles into a series? I think that would be helpful for someone who lands on them in the future.
Good point Abhinav.
Always forget to do that as it's automatic on my blog!
Doing it right now! 👀
done this but the file is still there, if I look at the initial commit and at the commit I made to remove the file (last year).