.gitmodules File is Included in Output by Default

For Workes & Pages, what is the name of the domain?

N/A

What is the issue or error you’re encountering

When setting up a monorepo or repository with submodules for deployment to pages, by default, the contents of the .gitmodules file are available in the served page.

What steps have you taken to resolve the issue?

Admittedly I haven’t done much more than a vanilla deployment using Cloudflare, and I know much more complicated build setups are possible. But using the default settings (i.e. no build script, I just create a new repo and hook it into my github/lab/whatever account), I feel that files like this should be detected, skipped, and not available to the served site.

I understand reasons for perhaps not ignoring dotfiles, or even files known to be associated with git, by default. But as a motivating example, when trying to work out how to initialise submodules properly, I came across this accepted stack overflow answer, as well as several other posts, indicating that the way to do it is to include the deploy token in the submodule. By serving this file by default this thus means that any tokens, URLs, or other private information within that file are leaked to the general public. If I knew the domain of the person posting that reply, I would probably be able to gain at least read-only access to their repository.

I therefore think that files like this should be filtered at least when there is no custom build script in place. A warning or similar would be nice for custom build scripts if potentially sensitive files are detected in the static output, but understandably with greater control comes greater responsibility and the user will need to manage the omission of these files themselves using their build tool, preferably having been advised on the risks somewhere though.

Thanks

What are the steps to reproduce the issue?

  • Create an empty repository
  • Add a submodule pointing to e.g. Github’s Spoon-Knife repository
  • Commit and push, triggering a deployment
  • curl https://example.pages.dev/.gitmodules returns the contents of the file