How to prevent serving .git directory on web

Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like http://example.com/.git/

Why is it bad to keep .git folder on server and accessible on production servers?

When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.

Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.

http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/

If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.

How to disallow access to .git directory from website

There are several ways of fixing this problem, listing few of them below

  • Delete the .git folder from root directory.
  • Move the .git folder to some other location from where it can’t be accessed from browser.
  • Don’t allow access to any files that start with DOT using .htaccess file

I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.

In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.

Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`

I was using apache 2, so did it following

  1. Apache modification
    • Enable mode_rewrite in apache, ignore if already enabled.
    • Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
    • Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
    • Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
    • Restart the apache server to reflect the changes `sudo service httpd restart`
  2. Create .htaccess file in project root directory and add below lines.
RewriteEngine On
RewriteRule (^|/)\.([^/]+)(/|$) - [L,F]
RewriteRule (^|/)([^/]+)~(/|$) - [L,F]

Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.

References:

http://www.askapache.com/htaccess/

http://jafty.com/blog/enable-mod_rewrite-on-apache-ec2-linux-server/

https://medium.freecodecamp.com/understanding-git-for-real-by-exploring-the-git-directory-1e079c15b807

 

 

Advertisements

MySQL calculate gender percentage

We need to calculate the gender % from user table based on gender column. So lets say, out of 10 users if there are 5 male and 5 female then we can say that male percentage is 50%

Create a table using below query:

CREATE TABLE `users` (
 `name` varchar(255) DEFAULT NULL,
 `gender` varchar(10) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4

Insert some records using below query:

insert into users values ('bishwanath', 'male'), ('robin', 'male'), ('riya', 'female'), ('joe', 'male');

Solution1:

select ((sum(case when gender = 'male' then 1 else 0 end)/count(*))*100) as male_percentage from users limit 1;

Solution2:

select (((select count(*) from users where gender = 'male')/count(*)) * 100) as male_percentage from users limit 1;

There could be more ways of doing it. This is just for reference.

My MySQL version : 10.0.29-MariaDB-0ubuntu0.16.04.1

How to kill a frozen screen in Ubuntu 16.04

I am using Ubuntu now full-time, after formatting my machine and getting rid of windows or dual boot. While using it suddenly my Google Chrome screen was frozen and none of the controls were working. I tried killing it from task bar by right clicking on the icon -> Quit but it was not working at all.

So i decided to google it for solutions, Like how to kill a program(forcefully) and i came up with an interesting utility which is already there in Ubuntu/Linux machines Xkill.

What is Xkill?

Xkill is a utility for forcing the X server to close connections to clients. This program is very dangerous, but is useful for aborting programs that have displayed undesired windows on a user’s screen. If no resource identifier is given with -id, xkill will display a special cursor as a prompt for the user to select a window to be killed. If a pointer button is pressed over a non-root window, the server will close its connection to the client that created the window.

Command:

➜ ~ xkill
Select the window whose client you wish to kill with button 1....
xkill: killing creator of resource 0x4200001

When you enter xkill command on terminal without any parameter it will ask you to choose the window/client to kill, so simply switch tab, go to the client that you want to close and click on the client. It will forcefully close the client.

Happy sharing! Loving Ubuntu(Linux)! Command rocks! 🙂

Beanstalk helpful commands

I really had to scratch my head when i forgot the commands, so did happened with me today with beanstalk, I had to check that whether or not my jobs are getting queued in beanstalk queue, are they getting delayed?

Some of the commands that i used are:

  • Connect to beanstalk
telnet localhost 11300
  • Get the statistics of jobs and more details
stats

Output:

current-jobs-urgent: 15
current-jobs-ready: 22
current-jobs-reserved: 0
current-jobs-delayed: 25
current-jobs-buried: 0
cmd-put: 3620
cmd-peek: 0
cmd-peek-ready: 2
cmd-peek-delayed: 0
cmd-peek-buried: 0
cmd-reserve: 0
cmd-reserve-with-timeout: 82380
cmd-delete: 3573
cmd-release: 0
cmd-use: 643
cmd-watch: 12
cmd-ignore: 12
cmd-bury: 0
cmd-kick: 0
cmd-touch: 0
cmd-stats: 6
cmd-stats-job: 0
cmd-stats-tube: 0
cmd-list-tubes: 2
cmd-list-tube-used: 0
cmd-list-tubes-watched: 0
cmd-pause-tube: 0
job-timeouts: 0
total-jobs: 3620
max-job-size: 31457280
current-tubes: 8
current-connections: 8
current-producers: 5
current-workers: 4
current-waiting: 4
total-connections: 578
pid: 1286
version: 1.10
rusage-utime: 19.475000
rusage-stime: 22.225000
uptime: 421199
binlog-oldest-index: 45
binlog-current-index: 45
binlog-records-migrated: 0
binlog-records-written: 7193
binlog-max-size: 10485760
id: fb9d5d1abfc5af25
hostname: vagrant-0-6-0
  • To list all avaliable tubes
list-tubes

Output:

- default
- bd36a09e-f26b-4355-a4a0-584cae4c7a0e-elastic
- bd36a09e-f26b-4355-a4a0-584cae4c7a0e-chat
  • To get stat of specific tubes
stats-tube <your-tube-name>

Output:

---
name: default
current-jobs-urgent: 0
current-jobs-ready: 0
current-jobs-reserved: 0
current-jobs-delayed: 0
current-jobs-buried: 0
total-jobs: 2983
current-using: 1
current-watching: 1
current-waiting: 1
cmd-delete: 2983
cmd-pause-tube: 0
pause: 0
pause-time-left: 0
  • Getting into a tube
use <your-tube-name>
  • Return the delayed job with the shortest delay left
peek-delayed
  • To delete a job
delete <job-id>

 

Reference: Full document on protocol

 

 

 

 

 

Using MySQL Utilities Workbench Script mysqldbcompare To Compare Two Databases In Replication

Scripting MySQL

In my last two posts, I wrote about setting up replication with MySQL 5.6 using Global Transaction Identifiers. Even when I set up replication “the old-fashioned way“, one thought always enters my mind – did all of the data copy over to the slave? And, even after the master/slave has been running for a while, I am always wondering if the data in the slave matches the master. Or did the change that I made to that table make it over to the slave? It is probably more of a case of paranoia on my part, as MySQL replication is very reliable and works really well.

A few months ago, I started writing about the MySQL Utilities. If you haven’t heard about the MySQL Utilities:

“MySQL Utilities is a package of utilities that are used for maintenance and administration of MySQL servers. These utilities encapsulate a set…

View original post 1,578 more words

Cookies and the RESTful API

Mike Pearce

Right, after my presentation at PHPLondon this month, the most contentious issue was that of using cookies with your REST API. I said, in no uncertain terms, that you shouldn’t do it. There were a few cries from the audience which were akin to the flapping you hear in a parliamentary broadcast, Derick Rethans didn’t agree but had the grace not to publicly embarrass me* and one comment on the original post requesting a clarification of my statement.

So, to clarify!

One of the most important constraints of REST is that it should be stateless, that is, every request made to API should contain everything the application needs in order to service the request. Now, at it’s most terse, that is my clarification, however, the quicker witted and cleverer among you will be proud to announce that a cookie is part of a HTTP request, and you’d be right, so…

View original post 406 more words