MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public. We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications.
App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory are impacted. This happens because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).
PHP, Node, Python, Ruby and Java applications coded to serve static content:
Not all users of Local Git were impacted. Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers.
Azure App Service Windows is not impacted, as it runs in an IIS based environment.
Microsoft took the following steps after this issue was brought to our attention:
Some web applications are coded to serve all files in the content folder as static content. If the .git folder (which contains the state and history of the source control repository) is also in the content folder in these applications, others are then able to download the files via requests to the web app.
The cases where the .git folder can be in the content folder are:
The combination of the .git folder in content folder along with the application which serves out static content makes the app susceptible to source code exposure.
Wiz.io has posted a blog about this issue available here. We would like to thank Wiz.io who found this issue and worked closely with Microsoft to help secure our customers.
The MSRC Team