[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSMU_VSp_bHRZ7PmoaGVgkUmgQzf1zG4wCbi5euvi6fMUA@mail.gmail.com>
Date: Fri, 11 Feb 2022 07:47:24 -0500
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Finding secrets in mirrored Git repositories
(Full blog post here:
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/)
SUMMARY
Due to a discrepancy in Git behavior, the full contents of a source
code repository are not visible when making copies via the “git clone”
command. The entire contents only become visible when using the
“–mirror” option. This can lead to secrets being exposed via git
repositories when not removed properly, and a false sense of security
when repositories are scanned for secrets against a cloned,
non-mirrored copy.
Attackers and bug bounty hunters can use this discrepancy in Git
behavior to find hidden secrets and other sensitive data in public
repositories.
Organizations can mitigate this by analyzing their entire repositories
using the “–mirror” option and remove sensitive data using tools like
BFG or git-filter-repo (which do a more thorough job).
DETAILS
Git is a popular open source tool used for version control of source
code. When users make a copy of a local or remote git repository, they
use the “git clone” command. However, this command doesn’t copy all of
the data in the originating repository such as deleted branches and
commits. On the other hand, there is a “–mirror” option which copies
the entire repository including all deleted content. The discrepancy
between the two behaviors can lead to secrets and other sensitive data
lingering in the original repository. Additionally, existing tools for
secrets detection often operate on cloned repositories and do not
detect secrets in the mirror portion of the repository unless cloned
via the “–mirror” command.
We also tested forking in GitHub and GitLab, and in both systems
forking uses the regular “git clone” behind the scenes and not the
“–mirror” version. That means that repositories containing secrets in
the mirrored portion will not propagate those secrets to their forks.
We provide two examples of repositories containing hidden secrets that
are only visible when cloning with the “–mirror” option. These can be
found here:
- https://github.com/nightwatchcybersecurity/gb_testrepo_delete
- https://github.com/nightwatchcybersecurity/gb_testrepo_reset
TOOLING
There are plenty of existing tools out there that can manipulate git
repositories, scan them for secrets and remove specific commits.
During our research, we used git for checking out repositories,
git-filter-repo for figuring out the delta between cloned and mirrored
copies of the same repository, and gitleaks to scan for secrets.
For examples on how to use these tools, please see sample scripts that
we have published to GitHub:
- https://github.com/nightwatchcybersecurity/gitbleed_tools
MITIGATIONS
Organizations can mitigate this by analyzing their entire repositories
using the “–mirror” option and remove sensitive data using tools like
BFG or git-filter-repo. Garbage collection and pruning in git is also
recommended.
Organizations should not analyze regular cloned copies (without the
“–mirror” option) since that may provide a false sense of security,
and should not rely on methods of removing secrets such as deleting a
branch or rewinding history via the “git reset” command.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists