search

frdedynamics / find_the_duck

🐤 A social game. Have you found the duck? Write your name and hide it again for the next person!
https://frdedynamics.github.io/find_the_duck/
ISC License
1 stars 1 forks source link

Credentials in plain sight #16

Open MOJOliciousFTW opened 3 days ago

MOJOliciousFTW commented 3 days ago

Credentials are in plain sight in this public repo at https://github.com/frdedynamics/find_the_duck/blob/da632e87eafb76e68beb5c8590bc838871d63842/_config.yml#L43-L44

and are also found via public github page image

Expected credentials to be gh secrets and not found on page.

MOJOliciousFTW commented 2 days ago

forked and used github enterprise advanced security (GHAS) with AI enabled for secret scanning, neat image nice to see it got found there

MOJOliciousFTW commented 1 day ago

I'm not a front end developer, but I don't see anyway to hide supabase secrets when deploying a static site.

Looks like supabase has a free plan, is that what's used? Could not find info on what happens when free plan limits are reached, best case there will just be a hickup, worst case billing.

swampbear commented 7 hours ago
Screenshot 2024-09-29 at 17 04 12

It is a free plan yes. As i have understood it there is no billing if limits are hit. Unlimited api requests and a total storage of 500 mb

When db size is reached it changes to read only mode