A tool for analysing remote git files which have been accidentally shared on a web project
greedy-git -[aiIr] [-g file] url
By default, greedy-git checks a URL for the presence of url/.git/config, downloads it to ./url domain/config and makes a basic check to see if it looks like a git config file. If this file is present, it can then go on to do a number of other checks:
optional arguments: -i --index Fetch and parse the index file at url/.git/index, creating also index.txt (human readable version), index.json (json encoded version), index.lst (flat file list) and index.rpt (analysis report on files found in index) -g path Download the file relating to the path relative to the repository root, unzip it and save it in ./url domain/files/path -r --report Show an overview of files in the repository (report.md) -I --get-interesting Automatically get "interesting" files. These are: * Things that look like backup archives * Things that look like configuration files or that might contain credentials * Anything that looks like dynamic scripting source code * *.sql, *.inc, *.config, *.ini * hidden files, i.e. starting with "." -a Get all files referenced in index
Hide Your Git Repositories!
LocationMatch rule will deny access to any
.git repository that happens to be servable by an Apache web-server. It also denies access to
.htpasswd files as well as shows an example of denying access to environment configuration files popular in many frameworks.
.env as a convention is just an example.
<LocationMatch ^.*/(\.ht.*|\.env.*|\.git)/.*$> Order allow,deny Allow from none Deny from all </LocationMatch>