search

larymak / ToDo-list-App

A Todo list App made in Python and the Django framework. It is able to add, delete and update events.
37 stars 119 forks source link

Git commit history reveals secret #6

Open Sincronus-Conor opened 6 months ago

Sincronus-Conor commented 6 months ago

(Posted from wrong account, see comment below from @conormckenzie)

conormckenzie commented 6 months ago

Commit e4ae7c5f70de0762f23e976d019cb9e522faea7f reveals a production secret. Although it's later obscured in commit c25a1c62e342a6ad82f2ffb68e343a6b295a865c, it's still present in the commit history and can be found by someone who was looking to misuse it.

I don't know if this one is still in use, but in order to truly obscure it, it needs to be removed from the commit history.

If you want to keep it and are sure it's no longer in use, it may be a good idea to warn other new developers that just adding a commit to hide an exposed secret is not sufficient to protect it - and best practice is to revoke it since if someone accessed and saved it while it was public then even doing everything to make it private again doesn't guarantee it's safe.

That goes especially for new developers I think, so they don't take it as an example of what to do.

Side note: I came here from your article https://www.freecodecamp.org/news/how-to-write-a-good-readme-file/, thank you for writing it :)

larymak commented 6 months ago

Commit e4ae7c5 reveals a production secret. Although it's later obscured in commit c25a1c6, it's still present in the commit history and can be found by someone who was looking to misuse it.

I don't know if this one is still in use, but in order to truly obscure it, it needs to be removed from the commit history.

If you want to keep it and are sure it's no longer in use, it may be a good idea to warn other new developers that just adding a commit to hide an exposed secret is not sufficient to protect it - and best practice is to revoke it since if someone accessed and saved it while it was public then even doing everything to make it private again doesn't guarantee it's safe.

That goes especially for new developers I think, so they don't take it as an example of what to do.

Side note: I came here from your article https://www.freecodecamp.org/news/how-to-write-a-good-readme-file/, thank you for writing it :)

Hi @conormckenzie Thanks for pointing that out, though the project was just a sample and is no longer in use I will definitely be on the look out for such occurrences in the future.