search

AOSSIE-Org / PictoPy

An Image sorter that sorts photos based on face encodings in it.
https://aossie-org.github.io/PictoPy/
22 stars 41 forks source link

BUG:Security vulnerability , .env file committed to repo #71

Open yashpandey06 opened 1 week ago

yashpandey06 commented 1 week ago

Is there an existing issue for this?

What happened?

.env file is being pushed to the repo, we should rather use some other means to keep these secrets private right ?

Screenshot 2024-11-20 at 4 12 52 PM

Record

yashpandey06 commented 1 week ago

@Pranav0-0Aggarwal can you please help explain the need of this .env file ?

Dhruv-pahuja commented 1 week ago

i am working on it

yashpandey06 commented 1 week ago

@Dhruv-pahuja please from next time let's first enquire if the person who has raised the issue is working on it or not ...that's how open source works if. I am not wrong !.

yashpandey06 commented 1 week ago

Let's not jump right into solving issue without consulting the issue master 😔.

Dhruv-pahuja commented 1 week ago

ohh so sorry @yashpandey06 , i will consider this from next time and i may close this PR if you are working on it.

yashpandey06 commented 1 week ago

@Dhruv-pahuja please don't close the PR ...but lets be active from next time .

Rajgupta36 commented 1 week ago

@yashpandey06 , I think env file only contains default keys that are available to everyone. Also, in the Docker setup, he uses these keys as env variables.

yashpandey06 commented 1 week ago

@yashpandey06 , I think env file only contains default keys that are available to everyone. Also, in the Docker setup, he uses these keys as env variables. @Rajgupta36 even then it would be good practise to clarify that this env is the example env somewhat like ".env.example"

Rajgupta36 commented 1 week ago

@yashpandey06 yepp, it's good practice .Although I also figured out a few bugs, they are only one or two errors. Should I create a PR for that or include it in a bigger PR?

Pranav0-0Aggarwal commented 4 days ago

Hey, Ig @Dushyantbha012 hardcoded the keys, so that's where the .env file came from

is someone working on this issue?

Dushyantbha012 commented 4 days ago

No I didn't hard-code anything in .env it's @zenitsu0509

zenitsu0509 commented 4 days ago

can you tell me where it is located @Dushyantbha012

zenitsu0509 commented 4 days ago

its not a big issue it just contains public and private keys

yashpandey06 commented 4 days ago

its not a big issue it just contains public and private keys Yeah , it's not , but how about we follow industry standards 😄 .

Dhruv-pahuja commented 4 days ago

I have a suggestion just put the .env file in gitignore and add .env.example to this repo adding these values in that example file

yashpandey06 commented 4 days ago

I have a suggestion just put the .env file in gitignore and add .env.example to this repo adding these values in that example file

Yeah exactly