DEV Community

Cover image for Security risks associated with using the git version control system
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Updated on

Security risks associated with using the git version control system

Git, a version control system tool used by almost everyone who works with code. Despite its advantages in terms of ease of use, speed and transparency, it introduces a number of threats to application security.

.git directory

We could already encounter the problem of storing the .git directory in a previous post. In turn, from article shared in 2018, we can learn that incorrectly secured .git directories make 390,000 sites vulnerable to attacks. This illustrates the unimaginable scale of the problem, which cannot be ignored.

Among other things, what is in the .git directory? Commit history and all logs of all locally executed commits (including revert changes). So be sure to add the .git folder (incidentally created when initializing the repository) to the .gitignore file first.

Disclosure of sensitive data

Storing credentials, API keys or encryption secrets directly in the code is a very convenient programming practice. There is no need to store and import them in a separate file. In addition, there is no need to update and transfer separate files to each team member. Personally, I have encountered the problem most often in the example of mobile applications. The following video can testify to the scale of the problem.

https://www.youtube.com/watch?v=l0YsEk_59fQ

There are a number of tools that scan directories for sensitive data. These include, among others:

Unsigned commits

When doing commits, we can easily check the author of code changes. However, not many people know that there is such a thing as a cryptographic GPG key. Until the commit has been signed with it, we can't be sure who did the commit. It may turn out that another developer assigned the commit to his colleague in order to cleverly inject a backdoor. Commits and tags signed with the GPG key are marked as "Verified" or "Partially Verified" by Github.

![[git-01.png]]

An example of a verified commit from the official documentation github.

How can we sign our commit? Add a -S argument to the standard commit.

git commit -S -m 'your commit message'
Enter fullscreen mode Exit fullscreen mode

You can learn how to create the GPG key itself from the official documentation.

Misconfiguration

Although this should be a matter of course, it is not. As an example, we can take Samsung and their leaked source code of the SmartThings app. It held sensitive data, credentials and secret keys. Among other things, the files contained the data needed to log into an AWS account containing more than 100 S3 storage buckets, which held logs and data needed for analysis. In addition, the project had plaintext tokens for gitlab, which allowed access to 93 private repositories.

Sources

https://spectralops.io/blog/8-top-git-security-issues-what-to-do-about-them/
https://www.whitesourcesoftware.com/resources/blog/top-5-git-security-mistakes/
https://techcrunch.com/2019/05/08/samsung-source-code-leak/?guccounter=1&guce_referrer=aHR0cHM6Ly9ibHVicmFja2V0LmNvbS9naXQtaXQtcmlnaHQtaG93LWhhY2tlcnMtZXhwbG9pdC1naXQtbWlzY29uZmlndXJhdGlvbnMtd2hhdC10by1kby1hYm91dC1pdC8&guce_referrer_sig=AQAAALgUE12K7UkehGRvhJBScVRESdd5xk1-USNw3zol4ox5YuHHuOAteaGswkrqMC6CbiUgg9qB1bNHyJiAUnV59cj9gNk3W3Iah27ZoRPW_tP9XT96ZGV6Us38-Ko_GcSCnUHexuT305rag4-CL12hZ6BPKTt02_BZoF_LL6B61gGf
https://github.com/knowyourdata/data-scanner
https://github.com/SAP/credential-digger
https://github.com/zricethezav/gitleaks
https://threatpost.com/open-git-directories-leave-390k-websites-vulnerable/137299/
https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/generating-a-new-gpg-key

Top comments (0)