Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive data committed to history #10

Open
github-learning-lab bot opened this issue Sep 15, 2021 · 6 comments
Open

Sensitive data committed to history #10

github-learning-lab bot opened this issue Sep 15, 2021 · 6 comments

Comments

@github-learning-lab
Copy link
Contributor

Sensitive data elsewhere in the repository contents

Often sensitive data is buried deep in a repository's history. The process for removing these files and commit data is a bit tricker and more involved.

In our repository's history, there is a reference to a .env file with sensitive information. We've since added a .gitignore to prevent this from happening in the future, but it doesn't modify any previously committed references from the history.

There are a few things we need to think about and take into consideration before we start altering our historical content. But for now, let's start with identifying the commit in question by going through our commit history.

Step 12: Find historical reference to a previous .env file

  1. Navigate to the Code tab of the repository and click on the commits link directly under the Code tab
  2. Scanning through the commit history, locate the commit that added the .env file
  3. Copy and paste the commit SHA ID as a comment in this issue

I'll respond below when you add your comment to this issue.
@github-learning-lab github-learning-lab bot mentioned this issue Sep 15, 2021
Merged
@monishcm
Copy link
Owner

f3020dc

@github-learning-lab
Copy link
Contributor Author

Good guess, but the commit SHA ID that added the .env file is 848cd8c

Try typing that commit id in a comment to move on.

I'll respond below when I see your comment

@monishcm
Copy link
Owner

848cd8c

@github-learning-lab
Copy link
Contributor Author

Nice, that's the commit that added the .env file. We'll need to remove the contents of this commit, as well as the commit that removed it from the history.

Step 13: Remove historical reference to a previous .env file

We can do this with the following commands:

  1. Since we cloned the repository earlier, let's run git checkout main to put us back on the main branch
  2. Run git pull to update your local repository with the changes we merged from the contributor's pull request
  3. Run git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD to remove the historical reference to the .env file

Note: There is a lot going on with this command. We won't be diving into everything this command is doing, but it's filtering through the main branch and removing any cached reference to a .env file.

  1. Next, let's run git push -f to force push this change to the main branch
  2. Let's now run git log --oneline to get a list of our modified commit history
  3. Paste your log output into this issue as a comment
Here is an example of a log output using `git log --oneline`: 
d27dde6 (HEAD -> main, origin/main, origin/HEAD) Merge pull request #8 from monishcm/add-gitignore
65c1b71 Update .gitignore
a9b1b74 Merge add-wolverine-image into main
e2262cd Add wolverine image to game
9414843 Merge pull request #6 from monishcm/a-a-ron-patch-1
16d5372 Create SECURITY.md
28b3625 Merge pull request #1 from monishcm/update-dependency
3f7b819 Update package.json
e9ae69a Change package.json file to highlight where dependency update should go
831b1d1 Add empty .gitignore file
78cfef0 Remove .env file
8f08f15 Add .env file
e6e2377 Update README.md and Octocat game
528248c Initial commit

I'll respond below when I see your comment

@monishcm
Copy link
Owner

2e325fc (HEAD -> main, origin/main, origin/HEAD) Merge pull request #9 from monishcm/add-gitignore
8369667 (origin/add-gitignore) Update .gitignore
9f49de3 Merge add-wolverine-image into main
ed90055 (origin/add-wolverine-image, add-wolverine-image) Merge branch 'add-wolverine-image' of https://github.com/monishcm/security-strategy-essentials into add-wolverine-image
17d9de5 Add wolverine image to game
8c068cb Merge pull request #7 from monishcm/monishcm-patch-1
043a700 (origin/monishcm-patch-1) Create SECURITY.md
e90d3b3 Merge pull request #4 from monishcm/revert-1-update-dependency
025454f (origin/revert-1-update-dependency) Update package.json
e3ce756 Revert "Update the vulnerable dependency"
c3d3c68 Merge pull request #1 from monishcm/update-dependency
f3020dc Add .env file
b881c0f Add wolverine image to game
d433546 (origin/update-dependency) Change package.json file to highlight where dependency update should go
5eeb484 Add empty .gitignore file
56d6fbb Remove .env file
848cd8c Add .env file
c5d4b69 Update README.md and Octocat game
89c7c6a Initial commit

@github-learning-lab
Copy link
Contributor Author

Uh oh @monishcm, something went wrong! I wasn't expecting this change. Please go over the instructions again and make sure you've followed them as exactly as you can.

Hint:

Make sure you use one of the below commands to remove reference to these commits.

If you would like help troubleshooting, create a post on the GitHub Community board. You might also want to search for your issue to see if other people have resolved it in the past.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@monishcm