CHOKONEX / security-strategy-essentials

https://lab.github.com/githubtraining/security-strategy-essentials
MIT License
0 stars 0 forks source link

Sensitive data committed to history #9

Open github-learning-lab[bot] opened 3 years ago

github-learning-lab[bot] commented 3 years ago

Sensitive data elsewhere in the repository contents

Often sensitive data is buried deep in a repository's history. The process for removing these files and commit data is a bit tricker and more involved.

In our repository's history, there is a reference to a .env file with sensitive information. We've since added a .gitignore to prevent this from happening in the future, but it doesn't modify any previously committed references from the history.

There are a few things we need to think about and take into consideration before we start altering our historical content. But for now, let's start with identifying the commit in question by going through our commit history.

Step 12: Find historical reference to a previous .env file

  1. Navigate to the Code tab of the repository and click on the commits link directly under the Code tab
  2. Scanning through the commit history, locate the commit that added the .env file
  3. Copy and paste the commit SHA ID as a comment in this issue

I'll respond below when you add your comment to this issue.

CHOKONEX commented 3 years ago

848cd8c2043f6161a4f0043bffee212777281494

github-learning-lab[bot] commented 3 years ago

Nice, that's the commit that added the .env file. We'll need to remove the contents of this commit, as well as the commit that removed it from the history.

Step 13: Remove historical reference to a previous .env file

We can do this with the following commands:

  1. Since we cloned the repository earlier, let's run git checkout main to put us back on the main branch

  2. Run git pull to update your local repository with the changes we merged from the contributor's pull request

  3. Run git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD to remove the historical reference to the .env file

    Note: There is a lot going on with this command. We won't be diving into everything this command is doing, but it's filtering through the main branch and removing any cached reference to a .env file.

  4. Next, let's run git push -f to force push this change to the main branch

  5. Let's now run git log --oneline to get a list of our modified commit history

  6. Paste your log output into this issue as a comment

Here is an example of a log output using `git log --oneline`:
``` d27dde6 (HEAD -> main, origin/main, origin/HEAD) Merge pull request #8 from CHOKONEX/add-gitignore 65c1b71 Update .gitignore a9b1b74 Merge add-wolverine-image into main e2262cd Add wolverine image to game 9414843 Merge pull request #6 from CHOKONEX/a-a-ron-patch-1 16d5372 Create SECURITY.md 28b3625 Merge pull request #1 from CHOKONEX/update-dependency 3f7b819 Update package.json e9ae69a Change package.json file to highlight where dependency update should go 831b1d1 Add empty .gitignore file 78cfef0 Remove .env file 8f08f15 Add .env file e6e2377 Update README.md and Octocat game 528248c Initial commit ```

I'll respond below when I see your comment

CHOKONEX commented 3 years ago

45501a5 Merge pull request #8 from CHOKONEX/add-gitignore 0d37872 Update .gitignore 445cfe8 Merge add-wolverine-image into main 9649f96 Add .env file 0a27928 Add wolverine image to game 46a881d Merge pull request #6 from CHOKONEX/CHOKONEX-patch-1 782a8da Create SECURITY.md e6865d8 Merge pull request #1 from CHOKONEX/update-dependency caeb1ec Update package.json d433546 Change package.json file to highlight where dependency update should go 5eeb484 Add empty .gitignore file 56d6fbb Remove .env file 848cd8c Add .env file c5d4b69 Update README.md and Octocat game 89c7c6a Initial commit

github-learning-lab[bot] commented 3 years ago

Uh oh @CHOKONEX, something went wrong! I wasn't expecting this change. Please go over the instructions again and make sure you've followed them as exactly as you can.

Hint:

Make sure you use one of the below commands to remove reference to these commits.

If you would like help troubleshooting, create a post on the GitHub Community board. You might also want to search for your issue to see if other people have resolved it in the past.

CHOKONEX commented 3 years ago

45501a5 Merge pull request #8 from CHOKONEX/add-gitignore 0d37872 Update .gitignore 445cfe8 Merge add-wolverine-image into main 0a27928 Add wolverine image to game 46a881d Merge pull request #6 from CHOKONEX/CHOKONEX-patch-1 782a8da Create SECURITY.md e6865d8 Merge pull request #1 from CHOKONEX/update-dependency caeb1ec Update package.json d433546 Change package.json file to highlight where dependency update should go 5eeb484 Add empty .gitignore file 56d6fbb Remove .env file 848cd8c Add .env file c5d4b69 Update README.md and Octocat game 89c7c6a Initial commit

github-learning-lab[bot] commented 3 years ago

Uh oh @CHOKONEX, something went wrong! I wasn't expecting this change. Please go over the instructions again and make sure you've followed them as exactly as you can.

Hint:

Make sure you use one of the below commands to remove reference to these commits.

If you would like help troubleshooting, create a post on the GitHub Community board. You might also want to search for your issue to see if other people have resolved it in the past.

CHOKONEX commented 3 years ago

7cca5ac Delete .env 595b562 Merge pull request #8 from CHOKONEX/add-gitignore 509590a Update .gitignore b52e149 Merge add-wolverine-image into main 09b2d1e Add .env file 3baed8c Add wolverine image to game 8bac8a3 Merge pull request #6 from CHOKONEX/CHOKONEX-patch-1 ab80185 Create SECURITY.md b134361 Merge pull request #1 from CHOKONEX/update-dependency 8b7827a Update package.json e9ae69a Change package.json file to highlight where dependency update should go 831b1d1 Add empty .gitignore file 78cfef0 Remove .env file 8f08f15 Add .env file e6e2377 Update README.md and Octocat game 528248c Initial commit

github-learning-lab[bot] commented 3 years ago

Nice, your log output is no longer showing reference to those previous commits. So, what exactly just happened?

Our commit history has been modified

You probably noticed that when you ran the git filter-branch command, Git did some rewriting to some commits in the repository's history. Since we needed to alter the commits that referenced the .env file, it altered the commit ID, and all proceeding commits that point back to those commits.

This is why you need to consider local work and branches that are based on this previous history. This is okay to run, as long as everyone contributing in the repository is aware of the situation and can plan accordingly.

Is the sensitive information gone?

Those commits no longer show in the file contents in your repository history. You can see this by navigating to your repository's commit history and clicking on the "Add .env file" commit. Notice that there are now no referenced files or content recorded.

However, we can still access the cached commit if we know the old commit ID: https://github.com/CHOKONEX/security-strategy-essentials/commit/848cd8c2043f6161a4f0043bffee212777281494

Removing the old cached commits

This is where we'll need to contact the amazing GitHub Support team for assistance.

Even though we removed these commits, the historical reference to them can still be found if you know the commit ID. In a real world situation, you'll need to contact GitHub Support to perform the following:

For our situation, we can skip contacting GitHub Support for this example! :smile:


Find your final issue here now.