a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by deanSolecki
deanSolecki  ·  3456 days ago  ·  link  ·    ·  parent  ·  post: One in every 600 websites has .git exposed

I'm assuming if rails/angular are being used there isn't really a way this could happen, right?

I'm trying to figure out how a route could exist to a git directory, but I'm guessing it involves a project structure that I'm not familiar with.





j4d3  ·  3456 days ago  ·  link  ·  

It does depend on your project structure more than what you are building with. The solution is to make sure your web server is only showing the Internet the files you want it to. Set appropriate file permissions, of course, but also make sure your server doesn't show the contents of directories if there's no other page to load there. On an Apache server, those settings are in .htaccess.

deanSolecki  ·  3456 days ago  ·  link  ·  

Ah. I deploy from heroku, so this is likely not even possible, but since I tend to follow an "established" project structure maybe I'm wrong.

Even when I am running a server at localhost, though, it seems like the routes that I declare dictate what is available from a browser, so rails might also play gatekeeper (it exposes resources automatically if they're there [I'm on my windows install, so I can't check if anything else is exposed, but I suspect not,] but that's intended, and some sort of user model plays gatekeeper in that case.) If something is at index saying, "anything that comes in, lemme have a peak at it" it seems like you'd have to intentionally compromise yourself to have issues with this.

I guess my lack of experience with "server servers" has given me a blind spot, since "sort of servers" (abstract servers? I don't know how you draw that distinction) don't have these issues, as far as I'm aware.

I'm rambling, but basically, if your backend is rails/rails-api, you probably can't expose yourself without explicitly doing so, outside of permissions to routes you've explicitly declared, or resource routes that are implicitly declared by rails' scaffolding?

user-inactivated  ·  3456 days ago  ·  link  ·  

Using git pull to deploy your code, or just scping the whole repo would do it.

tla  ·  3456 days ago  ·  link  ·  

There are tools that deploy code by making a new checkout then removing the $versioncontrol directory (next update simply archives the old directory and does another new checkout). I think Fabric is an example of this if I am remembering correctly