Ignore Your .env - Browsing Environment Files on GitHub

by casi

Recently, I was pushing the commit of a project to GitHub and after it was up I realized I had forgotten my .gitignore.  Luckily for me, it wasn't much of an issue as I was in a private repo that I'm the only user of.

This mistake made me think.  If I've messed up so easily, maybe someone else has as well.  I did a search in the bar for a line commonly used in .env files that I thought would bring up some interesting results.  Search:

APP_ENV=production

62,670 code results.  This brought up a whole load of projects.  I'd say the majority just have testing dev info in them with nothing sensitive, but there were a few of interest.  Maybe every one in 100 would have something with sensitive data, so I would open an issue for the user just giving them a heads up (but people can't always be relying on friendly investigators).

Other times, I would find an .env existed, but was full of nonsense.  That wasn't much better as it just made me suspicious.  Why was it full of nonsense?  Maybe if I looked in the commit history there would be something interesting...  There was.

I picked a random page, 42 sounded good.  The first result had an .env with a Gmail username and password!

Now theoretically, somebody may attempt to login to Gmail with this info just to see if it was real.  They would then be confronted with the unusual login page for Gmail.  This would ask them to confirm the other email address associated with the account.  But it's O.K., because this other email is definitely not public on a GitHub profile page...

I wondered if others would also have their mail login in a commit, so I tried searching for:

MAIL_HOST=smtp.gmail.com

A modest 13,791 commit results.  This time I tried page 26 where I found a couple more logins.

One of the .env files for a design agency blog also contained database IP, username, and password!

I tried one more search before ending my little investigation:

DELETE_ENV

This was the most reliable for finding .env files containing sensitive data, people who have realized their mistake of uploading the .env so have deleted it in the next commit, but have not realized the commit history shows the text with the old .env in red, and the new empty .env in green.  If anything, they've made it easier to see now that it is highlighted!

Here is a short list of secret things (often paired with the public keys) I found in "delete env" commits in my lunch time break.  This info ranges from, "Oh no!  I'll have to get a new key for my Twitter bot" to "Who made this stripe transfer?":

AWS3-SECRET GITHUB_SECRET FACEBOOK_SECRET PUSHER_SECRET GOOGLE_CLIENT_SECRET PRODUCTION_DB_PASSWORD OPENWEATHER_KEY NEXMO_SECRET CLOUDINARY_API_SECRET WP_SECURE_AUTH_KEY CONSTANT_CONTACT_API_SECRET CHIKKA_CLIENT_SECRET LINKEDIN_CLIENT_SECRET TWITTER_ACCESS_SECRET TWITTER_CONSUMER_SECRET NEO4JPASS BRAINTREE_KEY_PRIVATE MAILGUN_PASSWORD PHONE_NUMBER DROPBOX_APP_SECRET STRIPE_SECRET

You could also try other commit searches, such as:

delete application.properties delete keys.py

I'm writing this with the hope that people will double-check their .gitignore to include environment files and key files.  My searches have found that generally it is beginners and people learning to code who have decided to git without fully understanding the record they are leaving.  If you introduce a new friend to git, make sure you tell them about .gitignore.  I also found a few repositories linked to web apps and sites trying to sell a service.  How can we trust our info with you as a user if you aren't even looking after your own?!

If you do happen to commit with sensitive data and are unsure what to do, GitHub has a whole section on how to:

$ git filter-branch

or

$ bfg --delete-files

in their docs.  You could even just delete the copy and upload again.

If someone is looking for a way to use this, how about some kind of helpful bot that open issues on repositories with sensitive data?

Stay safe.