search

Police-Data-Accessibility-Project / data-source-map

Map of dataset statuses
4 stars 0 forks source link

feature: vue/mapbox POC #6

Closed joshuagraber closed 5 months ago

joshuagraber commented 5 months ago

fixes #5

gitguardian[bot] commented 5 months ago

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | | | -------------- | ------------------ | ------------------------------ | ---------------- | --------------- | -------------------- | | [5639874](https://dashboard.gitguardian.com/incidents/5639874?occurrence=128010674) | Triggered | Google API Key | 4d07241b6e4f87221d761a47c3d27df7faf6fb30 | app/static/leaflet-data.js | [View secret](https://github.com/Police-Data-Accessibility-Project/data-source-map/commit/4d07241b6e4f87221d761a47c3d27df7faf6fb30#diff-ddf39964f394da417dd4f65585f7e3735116bc78ec49e00ac16c805071db057cL5) |
🛠 Guidelines to remediate hardcoded secrets
1. Understand the implications of revoking this secret by investigating where it is used in your code. 2. Replace and store your secret safely. [Learn here](https://blog.gitguardian.com/secrets-api-management?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) the best practices. 3. Revoke and [rotate this secret](https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/googleaiza#revoke-the-secret?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment). 4. If possible, [rewrite git history](https://blog.gitguardian.com/rewriting-git-history-cheatsheet?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment). Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data. To avoid such incidents in the future consider - following these [best practices](https://blog.gitguardian.com/secrets-api-management/?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) for managing and storing secrets including API keys and other credentials - install [secret detection on pre-commit](https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) to catch secret before it leaves your machine and ease remediation.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

josh-chamberlain commented 5 months ago

my steps:

I'm getting a PDAP logo then ~100vh of blank space before the footer. Console says I am erroring 

DataSourceMap.vue:109 

       GET https://api.positionstack.com/v1/reverse?access_key=74903621f8c3e4a1e2c8aa3554a7f268&query=100.6.7.84 403 (Forbidden)
DataSourceMap.vue:111 Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'message')
    at DataSourceMap.vue:111:39
    at async geocodeReverse (DataSourceMap.vue:108:9)
    at async DataSourceMap.vue:28:23

At the https://api.positionstack.com/v1/reverse... url, I'm getting:

  "error": {
    "code": "https_access_restricted",
    "message": "Access Restricted - Your current Subscription Plan does not support HTTPS Encryption."
  }
}
joshuagraber commented 5 months ago

@josh-chamberlain Do you have some kind of "https everywhere" setting switched on in your browser? The positionstack API (the thing I'm currently using for geocoding for the POC) only allows https on paid plans. The urls are set to http, but some browsers have a security setting that overrides this.

This won't be a problem once we're returning lat/lng from the API, but just for now it's a little headache.

josh-chamberlain commented 5 months ago

@joshuagraber nice, I fixed it by clearing localhost:8888/ from chrome://net-internals/#hsts then clearing my cache. The map loads!

joshuagraber commented 5 months ago

I see this is just a draft, I may have got excited

I hadn't opened for review, but I agree, this makes sense as a starting point. Marked as ready for review, will add README stuff and merge.