Git Leak Recovery
Overview
This skill covers two related but distinct operations: (1) recovering secrets or data that may exist in orphaned commits, reflog entries, or unreachable git objects, and (2) thoroughly cleaning repositories to ensure sensitive data cannot be recovered. Both operations require understanding git's internal storage mechanisms beyond standard high-level commands.
Workflow Decision Tree
Is the goal to RECOVER or CLEAN UP a secret?
│
├─► RECOVER secret from git history
│ └─► Follow "Recovery Workflow" section
│
└─► CLEAN UP / ensure secret is removed
└─► Follow "Cleanup Workflow" section
└─► CRITICAL: Follow "Verification Workflow" - superficial checks are insufficient
Recovery Workflow
Step 1: Identify Potential Secret Locations
Search these locations in order of likelihood:
-
Reflog - Records all ref updates, even after commits are "deleted"
git reflog --all git reflog show HEAD -
Unreachable/Orphaned commits - Commits not referenced by any branch
git fsck --unreachable --no-reflogs git fsck --lost-found # Creates refs in .git/lost-found/ -
Dangling objects - Objects not referenced by anything
git fsck --dangling -
Stashes - Often forgotten storage location
git stash list git stash show -p stash@{N} -
Git notes - Metadata attached to commits
git notes list
Step 2: Examine Suspicious Objects
Once object hashes are identified:
# View commit content
git show <commit-hash>
# View any object type
git cat-file -p <object-hash>
# Determine object type
git cat-file -t <object-hash>
Step 3: Extract and Save
After locating the secret:
# Save specific file from a commit
git show <commit>:<path/to/file> > recovered_file.txt
# Or checkout the entire commit temporarily
git checkout <commit> -- <path/to/file>
Cleanup Workflow
Step 1: Remove References
Remove all references that point to commits containing the secret:
# Delete reflog entries
git reflog expire --expire=now --all
# Remove backup refs (created by filter-branch, etc.)
rm -rf .git/refs/original/
# Remove stashes if they contain secrets
git stash drop stash@{N}
# Remove notes if applicable
git notes remove <commit>
Step 2: Garbage Collection
Force immediate garbage collection:
git gc --prune=now --aggressive
Step 3: Handle Pack Files
Pack files may retain objects even after gc:
# Repack aggressively
git repack -a -d -f --depth=250 --window=250
# Or for thorough cleanup, unpack and repack
mv .git/objects/pack/*.pack .
git unpack-objects < *.pack
rm *.pack
git gc --prune=now
Verification Workflow
CRITICAL: Standard verification commands are often insufficient. Follow this thorough approach.
Common Pitfall: Superficial Verification
These commands are NOT sufficient for security-sensitive cleanup:
# INSUFFICIENT: Only searches working directory, not git objects
grep -r "secret" .
# INSUFFICIENT: Greps fsck output (SHA hashes), not object content
git fsck --unreachable | grep "secret"
Thorough Verification Steps
-
Search all reachable commit content:
git log --all -p -S "secret_pattern" -- -
Search unreachable objects content (see
references/verification_commands.md):# List all objects and search their content git rev-list --all --objects | cut -d' ' -f1 | while read obj; do git cat-file -p "$obj" 2>/dev/null | grep -l "secret_pattern" && echo "Found in: $obj" done -
Search loose objects directly:
find .git/objects -type f -name '[0-9a-f]*' | while read f; do dir=$(dirname "$f" | xargs basename) file=$(basename "$f") hash="${dir}${file}" git cat-file -p "$hash" 2>/dev/null | grep "secret_pattern" && echo "Found in loose object: $hash" done -
Search pack files:
for pack in .git/objects/pack/*.idx; do git verify-pack -v "$pack" 2>/dev/null | awk '{print $1}' | while read obj; do git cat-file -p "$obj" 2>/dev/null | grep "secret_pattern" && echo "Found in pack: $obj" done done -
Verify no backup refs exist:
ls -la .git/refs/original/ 2>/dev/null find .git -name "*.orig" -o -name "*_BACKUP_*" -
Check for any remaining refs:
git for-each-ref --format='%(refname)'
Common Pitfalls
| Pitfall | Why It Happens | Solution |
|---|---|---|
| Grepping fsck output | git fsck outputs hashes, not content | Use git cat-file -p on each object |
| Missing pack files | Objects may be packed, not loose | Search both loose objects and pack files |
| Forgetting reflog | Reflog preserves "deleted" commits | git reflog expire --expire=now --all |
| Ignoring backup refs | filter-branch creates refs/original/ | Remove .git/refs/original/ |
| Overlooking stashes | Stashes are separate ref namespace | Check git stash list |
| Missing git notes | Notes attach to commits separately | Check git notes list |
| Shallow verification | Working directory != git object store | Search object store directly |
Resources
references/
verification_commands.md- Comprehensive verification scripts for thorough cleanup verification
These references provide ready-to-use command sequences for the verification workflow, which is the most error-prone part of git leak recovery tasks.