Sunday, April 11, 2021

git refog shows git password in plain text

Why git reflogs are important, check here. If not opened, paste this url manually.

https://linuxamination.blogspot.com/2021/04/git-reflog-and-its-importance.html

CI / CD was implemented to save the time of everyone in the team who pulls the code on development, staging and production server.

It makes the 'git pull' process automated. Gitlab CI / CD and Jenkins are used by DevOps to achieve this. If you have used Jenkins, you must have created pipelines or jobs to update the code frequently on the server.

Jenkins has its own security policies and if you see carefully, you will find Jenkins asks your git password but it does not show password in plain text, the places where password is visible, either it is in hash or it is with stars like '******@123'.

But if you use third party applications like Jenkins or a Shell Script to pull the code using git on the server,  anyone who has access of your server's project directory can read your git password in plain text.

You should try this yourself. cd into your project directory on the server and run command `git reflog`

If reflogs are enabled, you can see the pulled commits with password in the plain text.

If your all code is tested properly on QA server and you do not need this utility on production server, you can simply turn off saving reflogs by setting the following option in the remote git repository.

[core]
  logAllRefUpdates = 0

You can remove your git reflogs using following command.

This command will remove all the relogs older than 15 days.

git reflog expire --expire=15.days.ago --expire-unreachable=now --all

You can change the day number to 1 and it will delete all the reflogs of yesterday and older.

 
 

git reflog and its importance

Command `git reflog` is very helpful when you want to revert changes. It is little different than `git log` command as `git log` lists all the commit ids but using `git reflog` you can see only those commit ids which are pulled on the server.

Suppose a developer works on a task and commits frequently. He/She has committed 11 commits i.e. commit 1, commit 2, .... commit 11 before pushing these changes on the server. DevOps pulls these changes on the server. Now developer commits 9 more changes before pushing them on the server so he/she has pushed two times on the server but he/she has committed code 20 times. If this second push has broken something on the server and It is asked DevOps to revert the push.

DevOps checks the commits using command `git log` but he/she sees 20 commits, DevOps is not sure about the commit number before second pull, he can discuss with developer but developer might not sure too as his/her concentration was on the code & error and not on the commit number. It was DevOps responsibility about every details of the pull / push and here `git reflog` comes to the rescue.

It lists only those commits which were pulled on the server. The number of times developer pushed the code, it lists only those commit number. It is independent of the number of commits done by developer. Yes, if developer pushes code after every commit then it will list all the commit numbers but developers do not push code in the repository after every commit.