Tool for analysing remote git repos accidentally shared by web devs
Python
Pull request Compare This branch is 10 commits ahead of sbp:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
greedy-git

README.md

greedy-git

A tool for analysing remote git files which have been accidentally shared on a web project

Usage

greedy-git -[aiIr] [-g file] url

By default, greedy-git checks a URL for the presence of url/.git/config, downloads it to ./url domain/config and makes a basic check to see if it looks like a git config file. If this file is present, it can then go on to do a number of other checks:

optional arguments:
  -i --index    Fetch and parse the index file at url/.git/index, creating also index.txt (human readable version), index.json (json encoded version), index.lst (flat file list) and index.rpt (analysis report on files found in index)
  -g path     Download the file relating to the path relative to the repository root, unzip it and save it in ./url domain/files/path
  -r --report   Show an overview of files in the repository (report.md)
  -I --get-interesting  Automatically get "interesting" files. These are:
      * Things that look like backup archives
      * Things that look like configuration files or that might contain credentials
      * Anything that looks like dynamic scripting source code
      * *.sql, *.inc, *.config, *.ini
      * hidden files, i.e. starting with "."
  -a            Get all files referenced in index

Hide Your Git Repositories!

On Apache

The following LocationMatch rule will deny access to any .git repository that happens to be servable by an Apache web-server. It also denies access to .htaccess and .htpasswd files as well as shows an example of denying access to environment configuration files popular in many frameworks. .env as a convention is just an example.

<LocationMatch ^.*/(\.ht.*|\.env.*|\.git)/.*$>
    Order allow,deny
    Allow from none
    Deny from all
</LocationMatch>