I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do git log --all --grep='.env', then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.
And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.
I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do
git log --all --grep='.env', then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.
Wow, nice catch Drishit!
Didn't think that far ahead to be honest!
So well done on exposing this, def worth while fixing that as well.