How to prevent serving .git directory on web

Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like http://example.com/.git/

Why is it bad to keep .git folder on server and accessible on production servers?

When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.

Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.

http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/

If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.

How to disallow access to .git directory from website

There are several ways of fixing this problem, listing few of them below

  • Delete the .git folder from root directory.
  • Move the .git folder to some other location from where it can’t be accessed from browser.
  • Don’t allow access to any files that start with DOT using .htaccess file

I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.

In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.

Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`

I was using apache 2, so did it following

  1. Apache modification
    • Enable mode_rewrite in apache, ignore if already enabled.
    • Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
    • Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
    • Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
    • Restart the apache server to reflect the changes `sudo service httpd restart`
  2. Create .htaccess file in project root directory and add below lines.
RewriteEngine On
RewriteRule (^|/)\.([^/]+)(/|$) - [L,F]
RewriteRule (^|/)([^/]+)~(/|$) - [L,F]

Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.

References:

http://www.askapache.com/htaccess/

http://jafty.com/blog/enable-mod_rewrite-on-apache-ec2-linux-server/

https://medium.freecodecamp.com/understanding-git-for-real-by-exploring-the-git-directory-1e079c15b807

 

 

Cookies and the RESTful API

Mike Pearce

Right, after my presentation at PHPLondon this month, the most contentious issue was that of using cookies with your REST API. I said, in no uncertain terms, that you shouldn’t do it. There were a few cries from the audience which were akin to the flapping you hear in a parliamentary broadcast, Derick Rethans didn’t agree but had the grace not to publicly embarrass me* and one comment on the original post requesting a clarification of my statement.

So, to clarify!

One of the most important constraints of REST is that it should be stateless, that is, every request made to API should contain everything the application needs in order to service the request. Now, at it’s most terse, that is my clarification, however, the quicker witted and cleverer among you will be proud to announce that a cookie is part of a HTTP request, and you’d be right, so…

View original post 406 more words

Gulpjs – A quick Walkthrough

Today i came across with some amazing and powerful features of Gulp.js(Open source). Its a task runner and a powerful feature of nodejs. Gulp uses node.js streams. Its easy to use and have some useful api.

What is Gulp?

Its is a fast and intuitive streaming build tool built on Node.js. Gulp is a Task / Build runner. It uses node.js streams. Its easy to use and have some useful api, and is efficient. Gulp.js makes use of pipes for streaming data that needs to be processed.

How is it useful

Automating common/tedious task while building product(specially fronted) so that you can focus on more important task. There are loads of plugins available here which does various task and help us achieve almost everything. Few common task that i preferably use:

and many more…

Lets go to playground to have some fun.

Prerequisites:

Since it part of node module so we need to install nodejs first. I run on Ubuntu 14.04 OS.

Open the terminal and first install the node.

sudo apt-get update
sudo apt-get install nodejs

Now you need to install the npm which is Node.js package manager, from which one can install modules and packages to use with Node.js.

sudo apt-get install npm

So node is installed by now, you can check it by issuing nodejs -v and npm -v

Installing Gulp:

sudo npm install -g gulp

Then go to your project directory or create a new one, For me my project root directory is `/home/bishwanath/sites/gulp-demo` and run the following command, which will install it locally to the project also make sure you have already created a package.json files at root level. so that all downloaded plugins will be automatically added under  devDependencies because we use --save-dev flag

npm install --save-dev gulp

Start playing with gulp:

Lets create a file gulpfile.js in your project root directory. where we will create tasks and will run then using gulp command

Here is my initial gulpfile.js look like, just for testing purpose, added a default task which log to console 🙂

var gulp = require('gulp');
gulp.task('default', function() {
   console.log("I have configured a gulpfile"); // This will print on console as output
});

Now run this file using below command, make sure you are into your project dir.

# Lets go to the project directory
bishwanath@bishwanath-jha:~$ cd /home/bishwanath/sites/gulp-demo/

# Files in my project root
bishwanath@bishwanath-jha:~/sites/gulp-demo$ ls -all
total 32
drwxrwxr-x 3 bishwanath bishwanath  4096 Feb 19 01:24 .
drwxrwxrwx 9 bishwanath bishwanath  4096 Feb 18 23:44 ..
-rw-rw-r-- 1 bishwanath bishwanath   126 Feb 18 23:48 gulpfile.js
drwxrwxr-x 4 bishwanath bishwanath  4096 Feb 19 01:17 node_modules
-rw-rw-r-- 1 bishwanath bishwanath   131 Feb 19 01:17 package.json

# Lets execute/run gulpfile
bishwanath@bishwanath-jha:~/sites/gulp-demo$ gulp

# Here is the output
[01:31:23] Using gulpfile ~/sites/gulp-demo/gulpfile.js
[01:31:23] Starting 'default'...
I have configured a gulpfile
[01:31:23] Finished 'default' after 90 μs

In case you get below error, please run the fix as i got this on Ubuntu 14.04 and found the fix here


$ gulp

/usr/bin/env: node: No such file or directory

// Fix:run below command

ln -s /usr/bin/nodejs /usr/bin/node

How Gulp Works:

Gulp allows you to input your source file(s), pipe them through a bunch of plugins and get an output at the end, Let’s take a look at an example of what a basic JS uglifying and concating all js files into single js file called app.js with the help of gulp task.

Lets first install gulp plugin called gulp-uglify and gulp-concat


sudo npm install --save-dev gulp-uglify
sudo npm install --save-dev gulp-concat

Then modify the gulpfile as look like as below now


// Load gulp
var gulp = require('gulp');

// Load gulp plugins
var uglify  = require('gulp-uglify');
var concat  = require('gulp-concat');

// Defining a task as JS uglify
gulp.task('uglification', function() {
return gulp.src('./src/js/*.js') // It loads all .js files under /src/js
.pipe(concat('app.js')) // it further concat all files(currently we have three files check git repo below) contents into app.js
.pipe(uglify()) // it further Minify my JavaScript files/removing-spaces or compressing
.pipe(gulp.dest('./build')) // finally place that app.js file into /build directory
});

// Setting default task to run
gulp.task('default', ['uglification']);

Code Description:

The src() method let’s me specify where to find the JavaScript files.

The pipe() method takes the source stream derived from the src() method and passes it to the specific plugin concat(), so concat would receive the source stream and append all files into app.js

The pipe() method takes the source stream derived from the concat() method and passes it to the specific plugin uglify(), so it would receive the file app.js as stream and minify/compress app.js code.

Finally, using Gulp’s dest() method, all.js is written/created to my target folder. The process if very clear and very readable.

Output:

Now run gulpfile again, it will result into a single app.js(combining all js file mentioned in path into one) file under ./build directory. which will contain concatenated and compressed file of all js files under /src/js/.

bishwanath@bishwanath-jha:~/sites/gulp-demo$ gulp
[02:08:01] Using gulpfile ~/sites/gulp-demo/gulpfile.js
[02:08:01] Starting 'uglification'...
[02:08:01] Finished 'uglification' after 92 ms
[02:08:01] Starting 'default'...
[02:08:01] Finished 'default' after 7.48 μs

This is just one use case, we have may other examples use case. will be covering them into other posts, git repository.

Find the source code here on github : https://github.com/bishwanathjha/gulp-demo