Gitify : improve the _backup/ and _data/ directories security

Spheerys · June 22, 2019, 9:53pm

By the Gitify works on my production server, and by default, the _backup/ directory is accessible by anyone.
Of course, a curious visitor can’t browse the directory (Error 403) but the files could be accessible with the full URL such as https://mydomain.tld/_backup/2019-06-22T100636+0200.sql

Maybe a simple .htaccess with a deny from all in this directory could be a good idea, or move the _backup/ directory outside the /htdocs directory…

And I don’t know if there are sensible informations inside _data directory (credential, user account…), but improve the security for this directory too could be important.

What do you thing ?

mhamstra · June 23, 2019, 8:22am

Yes you should lock down those directories, absolutely.

sebastian-marinescu · June 30, 2019, 2:51pm

These are good thoughts @Spheerys, that’s why I (and probably most Gitify users) moved the 3 directories (_backup/_data/_keys) outside the public-root.

My MODX project (whis is also a .git-repository) looks like this:

Directory-Overview

/
:: Root / Configuration Files / Scripts
/_backup
:: Gitify Backup Directory
/_data
:: Gitify Object Directory
/_keys
:: Gitify Keys Directory
/server (local modx-dev-server)
:: Directory for MODX Local Development Server
/www
:: Webroot / MODX Directory (only necessary files should get versioned/transferred)

Then inside your Gitify-config you just point a directory up ../ to the new private folders.
If you scaffold your projects also like this, you shouldn’t have any public access left

mhamstra · July 2, 2019, 3:51pm

It’s also fairly simple to use htaccess rewrites to block access to directories that start with a dot or underscore, or specific directories/files:

RewriteRule ^(\.|_build|_data|config\.core\.php) /index.php?q=wordpress-is-awesome [L]

Giving it a q parameter of a non-existent resource will make it show the MODX 404 page, giving no indication that the file/directory exists.