davtur19 / dotgit Goto Github PK
View Code? Open in Web Editor NEWAn extension for checking if .git is exposed in visited websites
License: GNU General Public License v3.0
An extension for checking if .git is exposed in visited websites
License: GNU General Public License v3.0
Users of this extension are being negatively impacted when accessing *.1password.com
(as well as *.1password.ca
and *.1password.eu
) as 1Password implements an active defense system that automatically blocks the IP address of clients that appear to be bots or are probing for common security issues. The requests that this extension performs triggers that system. This can be tested by attempting to access my.1password.com
with the extension enabled.
This means that any user of this extension that tries to access their 1Password account will be immediately blocked at the IP level - this could be avoided by adding the above domains to the default blocklist.
In the interest of users, I would suggest making this addition to avoid putting them through that hassle.
$ curl -s https://bugzilla.kernel.org/.git/config | grep url
url = https://github.com/bugzilla/bugzilla.git
There are Git repositories which are publicly accessible either way.
.git/config
for url
and check if the git repository is public or notWith GitHub and GitLab, this could be solved with an HTTP request to the repo.
https://github.com/bugzilla/bugzilla 200
: Publichttps://github.com/bugzilla/bugzilla 404 or 403
Not publicCurrently, the extension does not identify an exposed Git repository when the .git/
returns 403 Forbidden, however the files under the .git/
directory are accessible (such as .git/config
etc).
I would expect the extension to still identify the repository, since it can see .git/config
.
Thanks!
Hi, big fan of the plugin but today I finally found that it is the source why my Firefox is slowing down opening Youtube or Twitch.
Tried to add *.youtube.com, *.twitch.tv, *.ytimg.com
to the exclude list but it still slows down rendering the videos or thumbnails. Is there any workaround to keep the plugin enable but have smooth video/streaming experience?
I am not sure how you think about it, or if you feel like it would fit within the scope of this project, but I think that adding a check for http://example.com/wp-content/uploads/
would be a nice addition.
If you do an HEAD request to an open /wp-content/uploads/
URL, it shall normally return status 200, if it's blocked, obviously 403, 404 not found, etc.
Hey, would it be possible to add option to ignore some specific sites? For example, dotgit gets me banned from 1password.com if I use it "On all sites" in chrome :/
I would love to add a site blacklist of some form. Those sites should not be scanned when visited.
Hi!
It's seems that the extension is not able to detect a .git
folder if is a subpath.
For example the site https://fossies.org/ has a .git
folder on the path https://fossies.org/linux/knock/.git/logs/HEAD
If I have ever previously opened a page with an exposed git folder - DotGit deteced this and when I clear the list and re-entering this same page should exposed git folder message appear whether no?
I've had extractors for git, svn and mercurial (which preceded those of Internetwache.org by a couple of years). It would be simple to check for these directories too, my code to extract all these (in perl):
https://github.com/tautology0/ayfabtu
This is written up (for git): https://www.pentestpartners.com/security-blog/git-extraction-abusing-version-control-systems/ which links to other articles I wrote for svn and mercurial.
it could be nice if it checks for .ftpconfig too
Hello,
it looks like you are using Manifest v3 and it looks like you store state in you background workers.
For example, let us focus on check_git
Line 101 in ab11f45
Line 101 in ab11f45
Line 555 in ab11f45
Line 714 in ab11f45
First of all, you are using a global variable and the code looks like it can produce race conditions for that variable if the onMessage listener is executed in short time with different content for the check_git variable. I have not checked if this is this can happen.
My main point is that the worker could have been destroyed between you store the value to the variable and onHeaderReceived fires. the code would broke if the variable should hold true. If I am looking right at the code, the variable would be undefined when the service worker respawns.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.