Caught a .git/config crawler
23 points by FedericoSchonborn
23 points by FedericoSchonborn
I am not all that knowledgeable about git, but it looks to me like the contents of .git/config aren’t intrinsically valuable. People apparently keep credentials of various sorts, user names and passwords, TLS certificates, etc, in repositories that are under git version control
The first one is only sometimes true and the second isn't related to fetching .git/config unless the threat actor is trying to see if it is actually a clone
What I would guess they are looking for are directories "rsync deployed" by GitHub Actions which does rewrites to .git/config with a token so the CI job can clone the repo and any submodules therein. I am picking on GHA but I would guess that's a very common tactic for all the git CI setups. Some setups have a long-lived token that has more rights than just clone because it makes it easy to do pushes, tags, release creation, etc from within the same job, and thus inadvertently leak that token. The same risk applies to docker images when people do COPY . . without a .dockerignore in place, leading to extraheader = AUTHORIZATION: basic eC1hY... in their shipped image
To identify the other risk you'd need to spot a subsequent fetch by those threat actors to .git/index, HEAD, a bunch of files in pack etc
Can confirm.
/.git/config currently is #5 in my 404 error list.