search

gdg-x / aura

Web App for Community Management | Site
https://myaurapp.web.app/
Other
329 stars 406 forks source link

Security Risk #80

Open chtushar opened 4 years ago

chtushar commented 4 years ago

apiKey, authDomain, databaseURL, projectId, storageBucket, messagingSenderId, appId

are visible here. Kindly fix this issue as it seems to be a High Security Risk. This information should be kept confidential.

Solution:

module.exports = firebaseConfig


* Import file firebaseConfig.js in firebase.js
* Add following line of code in .gitignore file in root directory.
   `firebaseConfig.js`
* And Commit, issue will be solved!

Happy Hacking! :)
aravindvnair99 commented 3 years ago

@chtushar This isn't a High-Security Risk. The configuration snippet just identifies a Firebase project on Google servers. In fact, it is necessary to include it for users to interact with a Firebase project. This same configuration data is also included in every web or iOS or Android app that uses Firebase as its backend. It's just publicly available data.

Please close this issue.

agarwalbharat commented 3 years ago

Workin on it... as the concern is correct....

Already fixed for Aura Admin in https://github.com/gdg-x/aura-admin/pull/66

aravindvnair99 commented 3 years ago

Workin on it... as the concern is correct....

Already fixed for Aura Admin in gdg-x/aura-admin#66

@bharatagsrwal That's not a valid security bug as I mentioned in https://github.com/gdg-x/aura/issues/80#issuecomment-789742861. Could you please explain why it's a valid concern?

Appending /__/firebase/init.js to any Firebase domain will give you the config for that particular project. Such as for the PR you tagged, here it is: https://myaurapp.firebaseapp.com/__/firebase/init.js or https://auradmin.web.app/__/firebase/init.js

The configuration snippet just identifies a Firebase project on Google servers. It's just publicly available data.