davtur19 / dotgit Goto Github PK

Users of this extension are being negatively impacted when accessing *.1password.com (as well as *.1password.ca and *.1password.eu) as 1Password implements an active defense system that automatically blocks the IP address of clients that appear to be bots or are probing for common security issues. The requests that this extension performs triggers that system. This can be tested by attempting to access my.1password.com with the extension enabled.

This means that any user of this extension that tries to access their 1Password account will be immediately blocked at the IP level - this could be avoided by adding the above domains to the default blocklist.

In the interest of users, I would suggest making this addition to avoid putting them through that hassle.

$ curl -s https://bugzilla.kernel.org/.git/config | grep url
	url = https://github.com/bugzilla/bugzilla.git

There are Git repositories which are publicly accessible either way.

Feature Request:

• Parse .git/config for url and check if the git repository is public or not
• Add a setting to disable notifications if the repo is public either way

With GitHub and GitLab, this could be solved with an HTTP request to the repo.

• https://github.com/bugzilla/bugzilla 200: Public
• https://github.com/bugzilla/bugzilla 404 or 403 Not public

Currently, the extension does not identify an exposed Git repository when the .git/ returns 403 Forbidden, however the files under the .git/ directory are accessible (such as .git/config etc).

I would expect the extension to still identify the repository, since it can see .git/config.

Thanks!

I cannot see the full results and size of DotGit layout as in Chrome Browser.
In chrome:

But in Brave browser:

Anyone getting the same issue?
I tried many things but couldnt resolve it.
Anyone have the solution for it?

Hi, big fan of the plugin but today I finally found that it is the source why my Firefox is slowing down opening Youtube or Twitch.
Tried to add *.youtube.com, *.twitch.tv, *.ytimg.com to the exclude list but it still slows down rendering the videos or thumbnails. Is there any workaround to keep the plugin enable but have smooth video/streaming experience?

I am not sure how you think about it, or if you feel like it would fit within the scope of this project, but I think that adding a check for http://example.com/wp-content/uploads/ would be a nice addition.

If you do an HEAD request to an open /wp-content/uploads/ URL, it shall normally return status 200, if it's blocked, obviously 403, 404 not found, etc.

Hey, would it be possible to add option to ignore some specific sites? For example, dotgit gets me banned from 1password.com if I use it "On all sites" in chrome :/

I would love to add a site blacklist of some form. Those sites should not be scanned when visited.

Hi!

It's seems that the extension is not able to detect a .git folder if is a subpath.

For example the site https://fossies.org/ has a .git folder on the path https://fossies.org/linux/knock/.git/logs/HEAD

If I have ever previously opened a page with an exposed git folder - DotGit deteced this and when I clear the list and re-entering this same page should exposed git folder message appear whether no?

I've had extractors for git, svn and mercurial (which preceded those of Internetwache.org by a couple of years). It would be simple to check for these directories too, my code to extract all these (in perl):

https://github.com/tautology0/ayfabtu

This is written up (for git): https://www.pentestpartners.com/security-blog/git-extraction-abusing-version-control-systems/ which links to other articles I wrote for svn and mercurial.

it could be nice if it checks for .ftpconfig too

Hello,

it looks like you are using Manifest v3 and it looks like you store state in you background workers.

For example, let us focus on check_git

First of all, you are using a global variable and the code looks like it can produce race conditions for that variable if the onMessage listener is executed in short time with different content for the check_git variable. I have not checked if this is this can happen.

My main point is that the worker could have been destroyed between you store the value to the variable and onHeaderReceived fires. the code would broke if the variable should hold true. If I am looking right at the code, the variable would be undefined when the service worker respawns.