Abílio Azevedo.

The day I recovered the company's source code

Cover Image for The day I recovered the company's source code
Abílio Azevedo
Abílio Azevedo

I wrote this article for the Revelo community. You can access it in portuguese here. English version is below.

TLDR

This article details the experience of recovering lost source code from a company that was connected to AWS Amplify. By changing the amplify.yml file, it was possible to push the source code to a Git repository during the build process. We will explore how Amplify works, focusing on security aspects and detailing how the source code is exposed at build time.

As developers, we go through some hassles on a daily basis: a company contacted me to do some freelance "small tweaks" service, but they didn't have access to the source code developed by the previous developer 😅. So, would you take on the project? Tell them to start from scratch? Try to recover the source code?

Scenario

The source code was hosted on GitHub and hosted on AWS through Amplify. We didn't have access to the repository, but we had access to the AWS dashboard.

Theory

At some point the code leaves GitHub and goes to AWS to be built and hosted. So we can have access, there is light at the end of the tunnel!

What is AWS Amplify?

AWS Amplify is a set of tools and services that allow developers to build scalable and secure applications in the cloud. It provides an easy-to-use interface to manage backend and frontend resources, including authentication, APIs, storage, and hosting.

You can start using Amplify by setting up a repository for your source code.

Amplify hosting

Notice that you need to authorize AWS Amplify to read your code and write the amplify.yml file which will control the build and deploy process in Amplify and can be customized to meet specific project needs.

Amplify Instalation

Source Code Recovery

As we have seen, the source code is exposed to AWS Amplify so that the build process can be done. In other words, don't go connecting your repository anywhere and any account. In this case, the previous developer who was providing service believed his code was inaccessible. However, we know this is not true.

The build settings are in a yml file and can be modified by the AWS dashboard or by the repository itself, as we can see in the following image:

Amplify Build

As I didn't have access to the repository, I modified this file through the AWS dashboard that the company had access to, and included a step before the build that sent all code to an empty git repository, thus maintaining the entire history of code changes.

version: 1
frontend:
  phases:
preBuild:
  commands:
    - echo 'Enviando código fonte para o repositório Git alternativo'
    - git remote add alternate-repo <URL_DO_REPOSITÓRIO_ALTERNATIVO>
    - git push alternate-repo master

With this we found out that the developer was outsourcing the service to someone else 🤡.

Note: If outsourcing was authorized in the contract, everything is fine. The guy went silent when he found out we were able to access the source code. But that's it folks, pay attention to the possibilities, understand how the tools work and their concepts so you can use them in the best way and get out of hassles like this, always ethically.

That is All Folks


More posts

Cover Image for CI/CD - Lint - Checks

CI/CD - Lint - Checks

Comprehensive guide to continuous integration and continuous delivery. Explains key concepts, tools like GitHub Actions and Drone, benefits of linting, integrating ESLint and Prettier, and using Git hooks for automation.

Abílio Azevedo
Abílio Azevedo
Cover Image for ReWork

ReWork

Unconventional, straight-to-the-point advice on how to run a business. Instead of focusing on fast growth, Rework encourages entrepreneurs to start small, stay agile, and focus on what's essential.

Abílio Azevedo
Abílio Azevedo

NewsLetter

I will send the content posted here. No Spam =)