While conducting an assessment in WhatsApp web application, I noticed the .gitignore file was being exposed.
What are .gitignore files?
This is a user defined file which tells the “git” not to track certain files. For example: If you add a “temp.txt" file in your git repository and check the status using the command “git status”, it will display “temp.txt” being added. In case, you don’t want temp.txt to be tracked, you specify the filename in your .gitignore file. If you want to ignore the complete folder, you can define it. It also allows to add * wildcards.
Ex: You can find the sample .gitignore file of brakeman -
If you notice carefully, .gitignore files discloses the folder structure and filenames. And it is usually present in the root of your main branch. While testing the WhatsApp web application, I happened to visit the following URL https://www.whatsapp.com/.gitignore. It downloaded the .gitignore file from the WhatsApp project.
As you can see, it discloses “node_modules” folder. They didn’t want changes done in node_modules folder to be tracked by git. I reported this issue to Facebook security team. Since it was not a sensitive disclosure, they rejected my submission.
Remediation: It’s a best practice to restrict access to .gitignore files.
Thanks and Regards,