🚀 Launch Week Day 5:Introducing Immutable Scans.Learn More →
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

www.github.com/c-sto/gogitdumper.git

Package Overview
Dependencies
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

www.github.com/c-sto/gogitdumper.git

Go Modules
Version
v0.0.0-20221111053700-96e06cae145d
Version published
Created
Source

GoGitDumper

IMPORTANT!

Versions before 0.7 are vulnerable to a directory traversal (and arbitrary file write).

Installation

go get github.com/c-sto/gogitdumper

Usage

gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
..(wait for dumping)..
cd yourdecdieddir
git log
git checkout *

If directory listing is not enabled:

It may not collect every single bit of the source repo - but it should get a substantial amount of it fairly quickly.

It definitely won't get most of the packfiles, which is very annoying, but I can't think of a good method of obtaining those yet.

If directory listing is enabled: it should get everything. Congrats, you have the full source of the target.

Description

More than once during an engagement I've needed to dump a public git repo that is available over http, occasionally without directory indexing enabled.

This tool can be pointed at a git repo hosted on a web server, it will attempt to mirror it using whatever method is best. If directory indexing is detected, it will mirror all of the files in the .git/ directory. If indexing is not enabled, the tool will parse the .git/index file for references, then recursively check all references for more references etc.

If files are being obtained via references in the index file, packfiles will probably be missed. At this stage, I'm unsure if there is a good way of getting those files blindly. If you have an idea for this, please let me know.

The current tools available for this are relatively slow - who has time to wait 30 seconds for a repo do dump? not me, that's for sure.

As with any code I write - it's likely awful, full of bugs etc. This is an attempt to make my life easier - if you feel the code should work differently, or could be better, please either:

  • Tell me. I'll probably agree and implement your suggestions if I have time.
  • Submit an Issue. I'll probably agree and implement your suggestions if I have time.
  • Submit a pull request. I'll probably like it, and merge it if it's not too terrible.

Code based heavily on https://github.com/arthaud/git-dumper/ and https://github.com/internetwache/GitTools which are reasonably good tools I've found to help with this process. Index parsing mostly based on https://github.com/sbp/gin/

FAQs

Package last updated on 11 Nov 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious Chrome Extension Performs Hidden Affiliate Hijacking

Research

/

Security News

Malicious Chrome Extension Performs Hidden Affiliate Hijacking

A Chrome extension claiming to hide Amazon ads was found secretly hijacking affiliate links, replacing creators’ tags with its own without user consent.

By Kush Pandya  -  Jan 27, 2026
Introducing Immutable Scans

Product

Introducing Immutable Scans

Scan results now load faster and remain consistent over time, with stable URLs and on-demand rescans for fresh security data.

By Nolan Lawson  -  Jan 23, 2026