Secret Key leak in git repo

GeoNode / geonode

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data.

https://geonode.org/

Other

1.46k stars 1.13k forks source link

Secret Key leak in git repo #12626

Closed spe11one closed 1 month ago

spe11one commented 1 month ago

Hi Team,

I got a repo in which you have disclosed some of your pvt keys. Repo: https://github.com/geosolutions-it/geonode/blob/6dd7db7e3aa126e19ef44deac2d897fc29c22ff0/.env#L165

OAUTH2_CLIENT_ID=Jrchz2oPY3akmzndmgUTYrs9gczlgoV20YPSvqaV OAUTH2_CLIENT_SECRET=rCnp5txobUo83EpQEblM8fVj3QT5zb5qRfxNsuPzCqZaiRyIoxM4jdgMiZKFfePBHYXCLd7B8NlkfDBY9HKeIQPcy5Cp08KQNpRHQbjpLItDHv12GvkSeXp6OxaUETv3

SECRET_KEY='myv-y4#7j-dp-__@j#3z@!y24fz8%^z2v6atuy4bo9vqr1_a'

giohappy commented 1 month ago

@spe11one a few points:

that's a repo from an organization, not a GeoNode repo, so in case you should contact the organization
in case of security issues you shouldn't use a public issue. Either you look for a private contact or open a Security advisory (for the target repo)
Those secrets are just example variables. They're not used anywhere