CODEWITHSUNDEEP
gitfirebasesecurityfirebase-hosting
Clausen
Clausen

Reputation: 704

How to fix firebase vulnerability exposed by .git

I recently got an email as a result of an alleged open scan: https://smitka.me/

It states:

The problem is you have a publicly available git repository on your website. You can check it by visiting /.git/HEAD. When you visit the directory /.git you usually get 403 error because there is no index.html/.php file and you don’t allow to show the directory listing/autoindex (if you can see the directory structure you have a misconfigured webserver – it is another type of vulnerability). Despite 403 it is possible to access the files directly. This is the way I found your e-mail address – from the /.git/logs/HEAD – it is the list of commits with details about commiteers.

I am not an expert in this area, and I have simply deployed me site using the firebase console. I have my folder under version control using git, and the screenshot will show you the folder structure in the root of the project folder, with hidden files showing.

Folder structure

In the link posted above, mitigation examples are provided, but I think they are for people with control over their server – I run off firebase hosting and seem to have no such control.

Questions:

  1. Is this a security vulnerability?
  2. If so, how can i mitigate it?

Upvotes: 3

Views: 1152

Answers (1)

Martin Zeitler
Martin Zeitler

Reputation: 76669

the least effort might be to exclude directory .git from the deployment, with firebase.json:

{
  "database": {
    "rules": "database.rules.json"
  },
  "hosting": {
    ...
    "ignore": [
      "README.md",
      "firebase.json",
      ".firebaserc",
      ".git",
      ".gitignore",
      ".idea",
      ...
    ]
  }
}

the bottom line is: only deploy what is essential to serve the page.

Upvotes: 4

Related Questions