40

I pushed a file containing a password to my repo by mistake - FYI the repo is just a small personal project.

Once I realised the password was present I added the file to .gitignore and executed git rm -r --cached <filename>, committed and pushed to the repo.

I now realise the password is still present in the history - what is the best way to remove it?

I read the Remove sensitive data page on Github which suggests changing the password - which I have done - but I would like to remove the history as well.

NRKirby
  • 1,584
  • 4
  • 21
  • 38

3 Answers3

65

Since you have already made 5 commits since the commit containing the clear text password, you best bet is to do a git rebase -i in interactive mode on your local branch. Find the SHA-1 of the commit where you added the clear text password, and type the following:

git rebase --interactive dba507c^

where dba507c are the first 7 characters of the SHA-1 for the bad commit.

Change this:

pick dba507c comment for commit containing clear text password

To this:

edit dba507c I have removed the clear text password

Make the change to the password file to remove the clear text, then commit your result like this:

git commit --all --amend --no-edit
git rebase --continue

Finish the rebase, then push your (correct) local branch to the remote via:

git push -f origin your_branch

You will need to force push your_branch because you have rewritten history (by modifying the password file). Now you have all your latest commits, but you have removed the clear text.

Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
  • 1
    For future reference, if you had caught the clear text commit before making any others in your remote, you could have fixed it with a one-line solution. – Tim Biegeleisen Apr 20 '15 at 08:03
  • 2
    If you are trying to change something in your first commit start off with `git rebase [-i] --root $tip` instead – William Reed Sep 07 '18 at 00:25
  • This answer, as well as [this one](https://stackoverflow.com/a/872700/8075923) are both of great value for the community. Thanks guys, +1. – Soutzikevich Jan 21 '19 at 13:57
18

If it was the previous commmit, then remove the password from the file and run

git add file_with_pwd
git commit --amend 
git push -f origin master

Note: Once you posted that here on Stackoverflow, many guys may have already cloned the repo (you have the same username on github and just one repository). Change the password!

hek2mgl
  • 152,036
  • 28
  • 249
  • 266
  • 2
    Upvote for picking up that security hole (I have not cloned that repo FYI). – Tim Biegeleisen Apr 20 '15 at 07:27
  • 1
    I did, but I will **not** harm the OP in any case. I did it just to show him that he needs to change the password, since other guys probably won't tell him that. – hek2mgl Apr 20 '15 at 07:28
  • 1
    `page on Github which suggests changing the password - which I have done` - May be useful to future readers, not the OP. – AD7six Apr 20 '15 at 07:32
  • 1
    As mentioned in my original post **I have** changed the password. FYI it isn't the previous commit – NRKirby Apr 20 '15 at 07:33
  • 1
    @NRKirby Perfect! I have overlooked that. Will keep the answer to help others. – hek2mgl Apr 20 '15 at 11:19
0

You can use git reset --soft in your branch to undo that last commit.
Then remove the creds from the respective files.
And do the command sequence git add <updated-file>, git commit, and git push -f.
E.g:

git checkout <branch-name>
git reset --soft HEAD~1
git add <updated-file>
git commit -m "commit message"
git push -f origin <branch-name>
claudius
  • 747
  • 1
  • 10
  • 24