Geek Answers Handbook

Mercurial: Permanently delete sensitive data from the HG repository?

I know that in Mercurial "history is sacred."

But let me say that someone accidentally commits something that should not, like a settings file containing a password or something like that. Even if they say that some time has passed before someone realizes this, so that he hangs around several commits. Obviously, the creator then deletes sensitive data from the repository.

Is there any way to permanently clear this file or sensitive data from the commit history, as if it never existed? Or will this sensitive data just be a permanent part of the repo forever and ever?

+6
source share
4 answers

There are several ways to do this. All of them require the cooperation of everyone who cloned your repository or pulled out a set of changes from it after making changes.

Which method to use depends on the exact nature of the data that was recorded, and where they are in the history. All require the use of Mercurial extensions and cannot be performed using the Mercurial kernel. Fortunately, all the necessary extensions come by default with Mercurial and just need to be included.

I will not go into details about the methods here, since there are several answers that give different methods in the question, this is a hoax. I just want to be clear that the accepted answer on this question is technically correct, but not useful. It is really possible.

+2
source

I did not investigate the details of how hooks work so that this idea could not be fully played out. It may be possible to customize the hooks to prevent your sensitive files from being pushed, pushed and pulled. There are hooks that will work before committing or clicking ( precommit and preoutgoing ). Protecting hooks so that they are not bypassed is another issue that the Mercurial: The Definitive Guide also talks about.

+1
source

No. Not really. If you can convince everyone who has access to delete and redo, you can remove the file from future access.

But if, for example, you pushed your root password to the Bitbucket public repository -? You have to change it. Your information is now publicly available and leaking, and should be considered as such. Unfortunately.

0
source

If and only if this repository has not been deleted in wild , you can delete the file from the history, essentially cloning it into a new repository, while filtering a confidential file in the process using hg convert Hg Convert Extension doc here

Usually we find something when we check the repository before publishing or delivering it to the client, such as a web.config or ini file with a password.

The extension is not enabled by default, but is enabled in all my clients, you need to enable it before Mercurial recognizes the convert command.

If you are using Tortoise Hg or Kiln, for example:

  • Open Tortoise Hg → Global Settings → Extensions
  • Check the box next to "Convert"
  • Click ok

Or edit Mercurial.ini directly:

 [extensions] convert =

Go to the directory above your repository (in my example, my repos are HelloApp):

  • Create a file called filemap.txt

  • Add a string with the full path to the name of the file you want to exclude.

     exclude HelloApp/sensitive.config

  • Open the cd command line in the same directory containing the filemap.txt file and run hg convert

     cd C:\projects hg convert --filemap filemap.txt HelloApp HelloApp_clean

  • Then get the latest working copy:

     cd HelloApp_clean hg update

You will need to create a new clone on your server with your clean copy.

0
source

More articles:


All Articles