KonradUdoHannes
commented
10 months ago I looked through the repo wrt. sensitive data and I didn't find any major issues.
On the frontend side the we have mock data that is at least partially real, which is a potential issue. But I think its fine for the following reasons.
- The correlaid members that are mentioned by name are member that are visible on the CorrelAid website anyways
- The Organization and Project partners listed appear to be fake (uncommon names and even more strange emails). @jandix can you confirm that they are indeed fake?
I bundled the mock Data on the frontend side into a separate module to make it easier to modify, review and remove. See #15. We can still remove the names of the correlaid members and replace them with something artificial, but I don't think its necessary to remove them from the commit history.
On the backend side I did not find any sensitive data as long as we make sure that the following environment variables are only used for local testing and not in any real deployment
- POSTGRES_USER
- POSTGRES_PASSWORD
- CSRF_SECRET
This should be fine given the docker compose env variable precedence according to which shell level env vars still overwrite what is in the docker compose file. The only thing this currently rules out, is the use of docker compose's --env-file cli option or env_file configuration file property, as these have lower precedence. As long as this is not needed, no change is required.
jandix
I think we should check for sensitive data in the repository. In particular we should check whether any of the mocked data for the frontend is sensitive.
If anything sensitive is found we need to remove it and probably squash a bunch of commits, so the sooner this happens (or at least gets checked) the better.