Git, a version control system tool used by almost everyone who works with code. Despite its advantages in terms of ease of use, speed and transparency, it introduces a number of threats to application security.
.git directory
We could already encounter the problem of storing the .git directory in a previous post. In turn, from article shared in 2018, we can learn that incorrectly secured .git directories make 390,000 sites vulnerable to attacks. This illustrates the unimaginable scale of the problem, which cannot be ignored.
Among other things, what is in the .git directory? Commit history and all logs of all locally executed commits (including revert changes). So be sure to add the .git folder (incidentally created when initializing the repository) to the .gitignore file first.
Disclosure of sensitive data
Storing credentials, API keys or encryption secrets directly in the code is a very convenient programming practice. There is no need to store and import them in a separate file. In addition, there is no need to update and transfer separate files to each team member. Personally, I have encountered the problem most often in the example of mobile applications. The following video can testify to the scale of the problem.
https://www.youtube.com/watch?v=l0YsEk_59fQ
There are a number of tools that scan directories for sensitive data. These include, among others:
Unsigned commits
When doing commits, we can easily check the author of code changes. However, not many people know that there is such a thing as a cryptographic GPG key. Until the commit has been signed with it, we can't be sure who did the commit. It may turn out that another developer assigned the commit to his colleague in order to cleverly inject a backdoor. Commits and tags signed with the GPG key are marked as "Verified" or "Partially Verified" by Github.
![[git-01.png]]
An example of a verified commit from the official documentation github.
How can we sign our commit? Add a -S argument to the standard commit.
git commit -S -m 'your commit message'
You can learn how to create the GPG key itself from the official documentation.
Misconfiguration
Although this should be a matter of course, it is not. As an example, we can take Samsung and their leaked source code of the SmartThings app. It held sensitive data, credentials and secret keys. Among other things, the files contained the data needed to log into an AWS account containing more than 100 S3 storage buckets, which held logs and data needed for analysis. In addition, the project had plaintext tokens for gitlab, which allowed access to 93 private repositories.
Sources
https://spectralops.io/blog/8-top-git-security-issues-what-to-do-about-them/
https://www.whitesourcesoftware.com/resources/blog/top-5-git-security-mistakes/
https://techcrunch.com/2019/05/08/samsung-source-code-leak/?guccounter=1&guce_referrer=aHR0cHM6Ly9ibHVicmFja2V0LmNvbS9naXQtaXQtcmlnaHQtaG93LWhhY2tlcnMtZXhwbG9pdC1naXQtbWlzY29uZmlndXJhdGlvbnMtd2hhdC10by1kby1hYm91dC1pdC8&guce_referrer_sig=AQAAALgUE12K7UkehGRvhJBScVRESdd5xk1-USNw3zol4ox5YuHHuOAteaGswkrqMC6CbiUgg9qB1bNHyJiAUnV59cj9gNk3W3Iah27ZoRPW_tP9XT96ZGV6Us38-Ko_GcSCnUHexuT305rag4-CL12hZ6BPKTt02_BZoF_LL6B61gGf
https://github.com/knowyourdata/data-scanner
https://github.com/SAP/credential-digger
https://github.com/zricethezav/gitleaks
https://threatpost.com/open-git-directories-leave-390k-websites-vulnerable/137299/
https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/generating-a-new-gpg-key
Top comments (0)