A tool for analysing remote git files which have been accidentally shared on a web project
greedy-git -[aiIr] [-g file] url
By default, greedy-git checks a URL for the presence of url/.git/config, downloads it to ./url domain/config and makes a basic check to see if it looks like a git config file. If this file is present, it can then go on to do a number of other checks:
optional arguments:
-i --index Fetch and parse the index file at url/.git/index, creating also index.txt (human readable version), index.json (json encoded version), index.lst (flat file list) and index.rpt (analysis report on files found in index)
-g path Download the file relating to the path relative to the repository root, unzip it and save it in ./url domain/files/path
-r --report Show an overview of files in the repository (report.md)
-I --get-interesting Automatically get "interesting" files. These are:
* Things that look like backup archives
* Things that look like configuration files or that might contain credentials
* Anything that looks like dynamic scripting source code
* *.sql, *.inc, *.config, *.ini
* hidden files, i.e. starting with "."
-a Get all files referenced in index
On Apache
The following LocationMatch rule will deny access to any .git repository that happens to be servable by an Apache web-server. It also denies access to .htaccess and .htpasswd files as well as shows an example of denying access to environment configuration files popular in many frameworks. .env as a convention is just an example.
<LocationMatch ^.*/(\.ht.*|\.env.*|\.git)/.*$>
Order allow,deny
Allow from none
Deny from all
</LocationMatch>