Story 1
One beautiful day, you engrossed in the project column, the work completed smoothly, you sent Pull Request and left.
Preparing to go home, suddenly there was a loud cry from the leader: “stupid pig, who pushes the secret key on github like this ???????”
From git log, you panicly realize that you are the killer, that’s it, what to do?
Story 2
Company X’s project is hosted on a private repo, people are only allowed to fork and create pull requests. All information is kept confidential.
One day, dev A resigned from his job.
To retain its code efforts, dev A silently copies the project’s code to its public repo.
At the end of the month, company X suddenly found AWS charged 50 thousand dollars
The company aggressively searched for the cause, finally discovering the AWS key was in public rep of employee A who was on vacation. Speechless.
Comment
I wonder if you can see your silhouette in the stories above in our programming life, we have probably made mistakes sometimes.
And not everyone is lucky.
There are many cases where a product is developing or even running and has been revealed a secret key, password, api key, private key, mnemonic or other sensitive information that has led to thousands, even goods. million dollar.
My team has also been exposed, and the damage is quite large, please do not disclose the number
You may not know it, but on the internet there are always tools running 24/24 just to scan such key leaks on information storage platforms such as github or gitlab, bitbucket … so fast that we can lose After less than 1 minute after the reveal key.
Even if our repo is private, the risk is still from the human factor (story 2).
And protecting the security key is always a top priority, from thinking (mindset) to action (actions).
Solution
So now how to not reveal the secret key ?
The answer is simple: do not put the secret key on github or anywhere else.
So we accidentally put up the secret key then how to handle it now?
The answer is disable and thoroughly delete it.
Disable
If you are using this secret key, api key, or password anywhere, immediately change the password, disable the api key at all services being used.
Born yourself a new key / password, absolutely do not use the old anymore.
Thoroughly erase
When I first started programming and became familiar with git, I often encountered this problem: Quickly delete the secret file, make a new commit, and push it up? As if nothing had happened.
This is a completely wrong handling. When we enter the commit history, we will see that the secret file remains in the old commit. Hopefully no one of us makes that rudimentary error anymore.
Once familiar with and experienced with git, we know that git stores tree history, commits after previous commits, meaning that to change the content of a commit, we will have to rebuild the entire history from the commit. that’s on (sounds like blockchain).
Now we have a more effective way than before: Use the tools to rebuild the commit history, make sure that the secret file is not contained in any commit, and then push the force onto the repo.
There are several things that can help us with this: git filter-branch or use an open source tool called BFG Repo-Cleaner .
One thing to note is that because commits are rewritten, their entire hashes have been changed. This can affect pull requests currently open on the repo. So we should merge or close all pull requests on the repo before proceeding to remove the file to change the commit history.
Delete a file from the commit history
1.1 Use BFG Repo-Cleaner
We will proceed to download and install according to the homepage here: https://rtyley.github.io/bfg-repo-cleaner/ .
BFG Repo-Cleaner is a tool built and maintained by the open sources community. BFG Repo-Cleaner provides a quick, simple way to delete unwanted files with many options.
For example, we can delete unwanted files (containing sensitive information) but still retain the last commit as follows:
1 2 | java -jar bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATA |
Or, to replace text inside a password.txt file, for example, we can use the following command:
1 2 | java -jar bfg --replace-text passwords.txt |
BFG Repo-Cleaner offers many other options, can be found at BFG Repo-Cleaner.
1.2 Use git filter-branch
To illustrate how git filter-branch , we will make an example of deleting files containing sensitive data on one of our repos.
- clone repo about
1 2 3 4 5 6 7 8 | $ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY > Initialized empty Git repository in /Users/YOUR-FILE-PATH/YOUR-REPOSITORY/.git/ > remote: Counting objects: 1301, done. > remote: Compressing objects: 100% (769/769), done. > remote: Total 1301 (delta 724), reused 910 (delta 522) > Receiving objects: 100% (1301/1301), 164.39 KiB, done. > Resolving deltas: 100% (724/724), done. |
- into the repo
1 2 | $ cd YOUR-REPOSITORY |
- delete the file in the commit history, remember to replace
PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATAwith the secret file we want to delete.
1 2 3 4 5 6 | $ git filter-branch --force --index-filter "git rm --cached --ignore-unmatch PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA" --prune-empty --tag-name-filter cat -- --all > Rewrite 48dc599c80e20527ed902928085e7861e6b3cbe6 (266/266) > Ref 'refs/heads/master' was rewritten |
- Double check that the file has been completely deleted at all commits
- push force again to commit history
1 2 3 4 5 6 7 8 9 | $ git push origin --force --all > Counting objects: 1074, done. > Delta compression using 2 threads. > Compressing objects: 100% (677/677), done. > Writing objects: 100% (1058/1058), 148.85 KiB, done. > Total 1058 (delta 590), reused 602 (delta 378) > To https://github.com/YOUR-USERNAME/YOUR-REPOSITORY.git > + 48dc599...051452f master -> master (forced update) |
- push force all git tags to avoid disclosing information in the release versions of the repo
1 2 3 4 5 6 7 8 9 | $ git push origin --force --tags > Counting objects: 321, done. > Delta compression using up to 8 threads. > Compressing objects: 100% (166/166), done. > Writing objects: 100% (321/321), 331.74 KiB | 0 bytes/s, done. > Total 321 (delta 124), reused 269 (delta 108) > To https://github.com/YOUR-USERNAME/YOUR-REPOSITORY.git > + 48dc599...051452f master -> master (forced update) |
2. Put the secret file into gitignore
After we have deleted the secret file from the repo, we need to add that file to the .gitignore to make sure that we will never miss a commit again.
1 2 3 4 5 6 | $ echo "YOUR-FILE-WITH-SENSITIVE-DATA" >> .gitignore $ git add .gitignore $ git commit -m "Add YOUR-FILE-WITH-SENSITIVE-DATA to .gitignore" > [master 051452f] Add YOUR-FILE-WITH-SENSITIVE-DATA to .gitignore > 1 files changed, 1 insertions(+), 0 deletions(-) |
3. Delete github cached view
We deleted the old commit, rebuilt the commit history, the secret file no longer exists, so is it safe?
The answer is no.
In fact, github has a mechanism, which is cached views , although there are no more commits on the repo, but if there is a commit hash, we can still see it as usual . Or through old forks and pull requests, we can still see all the information of the old commit, including the secret file we pushed.
Readers can verify this by themselves as follows:
- Open the last commit of the repo in the browser
- locally delete old commit (by git reset or check out to previous commit)
- push force onto the repo, make sure the repo is no longer committed in step 1
- Refresh the browser in step 1, we will see the commit content remains intact as there has been no erasure here.
Toang !!!
How to handle this pile? Github Suggest gives us a final solution, which is to contact GitHub Support and GitHub Premium Support so that they can delete cached views as well as all references to sensitive data in the pull requests on github.
When this new old code really disappears from our repo.
But does it exist in the github database or not … only github knows.
4. Collaborator rebase code
Now with the team, make sure other collaborators will update the latest code with rebase , not merge . Because if you use merge, the old history containing the commit with the secret (on the collaborators’ machine) will be merged with the new history we just rebuilt. So, putting up everything we did before will be successful.
When using rebase , the commit history will be guaranteed to be the new history starting from the commit we rebuilt.
5. Delete junk
Finally, when everything is stable, we will remove all the backup objects we created by the git filter-branch above, cleaning our git:
1 2 3 4 5 6 7 8 9 | $ git for-each-ref --format="delete %(refname)" refs/original | git update-ref --stdin $ git reflog expire --expire=now --all $ git gc --prune=now > Counting objects: 2437, done. > Delta compression using up to 4 threads. > Compressing objects: 100% (1378/1378), done. > Writing objects: 100% (2437/2437), done. > Total 2437 (delta 1461), reused 1802 (delta 1048) |
Conclude
Summarizing the handling steps as follows:
- Disable all keys, change passwords (also notify related parties to do the same).
- Rebuild the commit history since the commit has been revealed.
- Put the secret file into
.gitignore. - Conduct
push forceto update repo history. - Message the collaborators to conduct a rebase.
- Contact GitHub Support and GitHub Premium Support to remove cached views and all references.
- Clear junk to clean git.
Be careful and always keep your key / password / mnemonic safe.
Consider each of your commits worth thousands of dollars.