Microsoft’s Azure App Service recently patched a security flaw dubbed “NotLegit” which allows public access for Local Git repositories. This means that proprietary or sensitive source code written for applications in Java, Node, PHP, Python, and Ruby – i.e., deployed to “Local Git” in Azure App Service since September 2017 or deployed to Azure App Service since September 2017 using any Git source — have been accessible to attackers since September 2017 when Azure App Service was first made available, because they do not utilize web servers that support web.config files. Azure App Service uses such web.config files to block public access to the associated directories. Applications written in C# and ASP.NET that employ the Microsoft IIS webserver are not affected due to default use of web.config files which work as intended to block access to the copy of the .git folder stored in /home/site/wwwroot.
The flaw was discovered by the Wiz Research Team and reported to Microsoft on October 7th, 2021. Microsoft has issued a mitigation for most Azure App Service customers but some customers have configurations that remain vulnerable. Microsoft stated all such customers should have received emails detailing details of mitigation between December 7th and 15th. A sample email from the Wiz blog with Microsoft recommendations is below: