Change Details

From security@wikimedia.org https://design.wikimedia.org/.git/config exposes a gitlab ci token credentials, we should rotate this token and prevent .git directories to be public in microsites. --- The repository is https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page , the [[ https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/blob/master/.pipeline/blubber.yaml | image definition ]] does: ``` copies: - from: local source: ./. destination: ./html/ ``` Thus copying the `.git` directory`. The Apache `<VirtualHost>` has a deny rule: ``` <Directory /srv/org/wikimedia/.git> Require all denied </Directory> ``` But within Blubber, the files are copied under `/srv/app` by default and the path is `/srv/app/html/.git`. The image is `docker-registry.wikimedia.org/repos/sre/miscweb/design-landing-page:2024-01-17-103642`

From security@wikimedia.org https://design.wikimedia.org/.git/config https://design.wikimedia.org/style-guide/.git/config https://design.wikimedia.org/strategy/.git/config exposes a gitlab ci token credentials, we should rotate this token and prevent .git directories to be public in microsites. --- The repository is https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page , the [[ https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/blob/master/.pipeline/blubber.yaml | image definition ]] does: ``` copies: - from: local source: ./. destination: ./html/ ``` Thus copying the `.git` directory`. The Apache `<VirtualHost>` has a deny rule: ``` <Directory /srv/org/wikimedia/.git> Require all denied </Directory> ``` But within Blubber, the files are copied under `/srv/app` by default and the path is `/srv/app/html/.git`. The image is `docker-registry.wikimedia.org/repos/sre/miscweb/design-landing-page:2024-01-17-103642`

From security@wikimedia.org https://design.wikimedia.org/.git/config https://design.wikimedia.org/style-guide/.git/config https://design.wikimedia.org/strategy/.git/config exposes a gitlab ci token credentials, we should rotate this token and prevent .git directories to be public in microsites. --- The repository is https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page , the [[ https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/blob/master/.pipeline/blubber.yaml | image definition ]] does: ``` copies: - from: local source: ./. destination: ./html/ ``` Thus copying the `.git` directory`. The Apache `<VirtualHost>` has a deny rule: ``` <Directory /srv/org/wikimedia/.git> Require all denied </Directory> ``` But within Blubber, the files are copied under `/srv/app` by default and the path is `/srv/app/html/.git`. The image is `docker-registry.wikimedia.org/repos/sre/miscweb/design-landing-page:2024-01-17-103642`