Git – removing password, sensitive data from older commits (history)

Posted byKarol NPosted indev, IT, programmingTags:, , , , , , , , , ,

In a nutshell:

1. Just in case make a backup of your repo.
2. https://rtyley.github.io/bfg-repo-cleaner/
Download bfg-1.13.0.jar file and copy to project folder. 
3. Then create a passwords.txt file and write the password you
want to remove from the repository
4. Run following commands: 
java -jar bfg-1.13.0.jar --replace-text passwords.txt
git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force

If you have inadvertently committed confidential data, e.g. passwords, there is a way to delete this information from git commits history. I use BFG Repo-Cleaner that you can download from: https://rtyley.github.io/bfg-repo-cleaner/
Before any steps please make a backup of your repo to ensure you don’t lose anything.

I show example commits and solution to deal with it. For example, in your project you have the file appsettings.json, and in ConnectionStrings you wrote the password and then committed it. Even if you changed it the next commit, your password still remains in history.

So at the beginning we have Password=MyVeryOwnPaS$721

appsettings.json

After first commit on Github:

appsettings.json in the github repository

Then I updated file with new pass: Password=123456789

appsettings.json updated

After second commit on Github (the old password is visible):

appsettings.json updated in the github repository

I downloaded bfg-1.13.0.jar file (https://rtyley.github.io/bfg-repo-cleaner/) and copy it to my project folder. Then I created passwords.txt file and wrote there pass that I want to remove.

bfg-1.13.0.jar

Password “MyVeryOwnPaS$721” that I want to find in my repo and remove:

passwords.txt

Next run command (java -jar bfg-1.13.0.jar –replace-text passwords.txt) to replace all passwords listed in a passwords.txt file with REMOVED string wherever they occur in your repository:

java -jar bfg-1.13.0.jar –replace-text passwords.txt

In the console output we can see the name of the file that had our password and this file will be changed.

Console output

Next command (git reflog expire –expire=now –all && git gc –prune=now –aggressive) to perform action:

git reflog expire –expire=now –all && git gc –prune=now –aggressive

Also, BFG report with full details are logged in newly created folder:

WebApplication.bfg-report

And this folder contains three files, so also there we can check which files contain our password:

BFG report

Now, we can remove bfg-1.13.0.jar and passwords.txt files.

And last command (git push –force) to push our changes to repo:

So we can check that commits from history were changed:

‘Git init’ commit, Password=***REMOVED***:

‘Git init’ commit updated

‘Updated appsettings.json’ commit, also Password=***REMOVED***:

‘Updated appsettings.json’ commit updated

That’s all, I hope this post will help someone.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: