Security thoughts on remixing and secret word hunt

For some of us, we can only make public projects now. Here are some tips to help make sure your secrets don’t leak when someone remixes your project.

.git is copied to remixes

The .git directory has historical versions of your project, and it’s used in the Rewind feature. For users comfortable with using Git from the command line, they can also set configuration options and add remote repository URLs to push and pull from.

In some experiments, I confirmed that remixing a project copies over the entire .git directory.

This means we should be very careful when working on a public project.

  1. Never type anything sensitive into a file that can be automatically committed, because Glitch may commit it for you, and that will put a copy into .git which will remain even if you edit it out of the file later.
  2. If you use Git, e.g. from the command line, make sure nothing sensitive is in your configuration.
  3. If you add a remote, make sure not to put any sensitive credentials in the URL. Note that Glitch’s own read-write project Git URL contains a token that grants permission to write (for private projects, permission to read as well).

node_modules is copied to remixes

We have known that node_modules is ephemeral, which makes it not suitable for storing application state in general, but it has still been useful as a cache. But because it is copied on remix, make sure your app and your app’s dependencies don’t write anything into node_modules unless it’s completely public.

Try it out: secret word hunt

I’ve made a sample project for you to try this out. Remix it and see if you can find up to three secret words in your copy!