保護DataHogo
Security Encyclopedia/Database Security
highCWE-538A05:2021

Database Backup Exposed

Database dump files (.sql, .dump, .bak) committed to the repository expose the entire database schema and data, including user credentials and sensitive records.

How It Works

Developers sometimes include database backup files in their repositories for convenience — seed data, local development, or migration reference. These files often contain full table schemas, user records with hashed or plaintext passwords, email addresses, and business-critical data. Even if the repo is private, these files are accessible to all collaborators and persist in git history. Attackers who find these files gain complete knowledge of the database structure and potentially all stored data. Public repos with .sql files are routinely discovered by automated scanners.

Vulnerable Code
# Files committed to repository:
# /backups/production-2024-01-15.sql
# /seed/users.dump
# /data/migrate.bak
git add backups/ seed/ data/
git commit -m 'add database files'
Secure Code
# .gitignore
*.sql
*.dump
*.bak
*.sqlite
/backups/
/seed/*.sql
# Use migrations instead of raw dumps
npx prisma migrate dev --name init

Real-World Example

In 2020, researchers discovered that thousands of public GitHub repositories contained database dumps with production data. One exposed .sql file from a healthcare company contained 150,000 patient records including Social Security numbers and medical diagnoses.

How to Prevent It

  • Add *.sql, *.dump, *.bak, and *.sqlite to .gitignore globally
  • Use migration tools (Prisma Migrate, Flyway) instead of raw SQL dumps
  • Scan repositories with truffleHog or gitleaks to detect committed backups
  • Store backups in encrypted cloud storage with restricted access, never in repos

Affected Technologies

Node.jsPythonJavaPHPGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Connection String Exposed

critical

Database connection URLs containing usernames and passwords are hardcoded in source code, making credentials accessible to anyone with repo access.

CWE-798A07:2021

Raw Queries in ORMs

high

Using raw SQL methods like Prisma's $queryRaw or Sequelize's query() with string interpolation bypasses the ORM's built-in SQL injection protection.

CWE-89A03:2021

Unsafe Deserialization

high

Deserializing untrusted data with libraries like node-serialize or Python's yaml.load allows attackers to execute arbitrary code on the server.

CWE-502A08:2021

Exploitable N+1 Queries

low

Unbounded relation expansion in ORM queries allows attackers to trigger thousands of database queries with a single API request, causing denial of service.

CWE-400API4:2023