Mercurial repository found
Description
A Mercurial version control metadata directory (.hg) has been detected on the web server. This directory contains the complete repository history, source code, configuration files, and developer information. The .hg directory should never be present on production systems as it is intended only for development environments. Its presence indicates that code was deployed using a direct repository clone rather than a proper build and deployment process, exposing sensitive development artifacts to unauthorized access.
Remediation
Immediately remove all Mercurial metadata directories from production web servers. Implement the following remediation steps:
1. Remove the .hg directory:
rm -rf /path/to/webroot/.hg
2. Configure web server access restrictions:
For Apache, add the following to your configuration file or .htaccess:
<DirectoryMatch "/\.hg">
Require all denied
</DirectoryMatch>For Nginx, add to your server block:
location ~ /\.hg {
deny all;
return 404;
}For IIS, add to web.config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment=".hg" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>3. Improve deployment process: Use proper build and deployment pipelines that export clean code without version control metadata. Consider using 'hg archive' command or CI/CD tools that automatically exclude repository files during deployment.