search

FrigadeHQ / remote-storage

remoteStorage is a simple library that combines the localStorage API with a remote server to persist data across sessions, devices, and browsers. It works as a simple key value database store and backend with support for React, Next.js, Vue, Node, or any Javascript stack
https://remote.storage
MIT License
1.21k stars 27 forks source link

Security Threat found #19

Closed abhishekpatel946 closed 7 months ago

abhishekpatel946 commented 7 months ago

Hi team, while exploring the codebase found the hardcoded keys, cert etc.. it's a potential risk for the project like opensource. I will paste all the code block here for your references.

https://github.com/FrigadeHQ/remote-storage/blob/bfb4fa144f7198cfba1acb9d0723eafc5a76345a/apps/www/pages/_app.tsx#L14 https://github.com/FrigadeHQ/remote-storage/blob/bfb4fa144f7198cfba1acb9d0723eafc5a76345a/apps/remote-storage-server/certs/server.crt#L1 https://github.com/FrigadeHQ/remote-storage/blob/bfb4fa144f7198cfba1acb9d0723eafc5a76345a/apps/remote-storage-server/certs/server.csr#L1 https://github.com/FrigadeHQ/remote-storage/blob/bfb4fa144f7198cfba1acb9d0723eafc5a76345a/apps/remote-storage-server/certs/server.key#L1

If possible so port this hardcoding into env or somewhere else just like you did for redis configuration.

christianmat commented 7 months ago

Hey there! These keys are all public information. The posthog key used for the demo website is publicly available as well on https://remote.storage