Skip to main content

Sensitive data in github


What is it?

As one is committing the code to github , the developers must be aware that no credentials should be pushed with github .Even the repository is private but still it is not recommended to put your keys/password on github.The following reasons explain the reasons :

This is very risky, exposing those credentials on a 3rd-party service that you don't control and manage then you are increasing the risk. There are lots of ways your credentials could be exposed: service compromise, compromised service accounts, authorization failure in the service, network eavesdropping, you granting access to the wrong person, etc.This leads huge risk to your company and it's reputation.


How to find the suspected information



As there are certain way of keys being exposed in the code statically , but simply search for parameters such as “KEY”,”API KEY”,”Password”,”credentials”,”phpinfo” etc , here we need to identify which files contain these information as static content .most if the time the credentials are found in controllers and config folder in laravel.

If there are some suspected files having these kind of details, the information should be passed to the team along with action to remove them asap.Only deleting the current file will not solve this problem so the recommended way must be followed.

Examples of the credentials being saved on github

API keys in any controller or services.php such as Mailgun API key, Stripe key statically placed .
Important information such as admin/superuser password added in seeder file for inserting default data in tables.
Exposing the server variables/credentials in the form of system/server information printed via any function [echo phpinfo in any file ,function or route].
Dummy env file such as stagenv or .env~ uploaded with live credentials , so make sure there should be no such file on github.

Recommended way


Always use the env variable as there are accessible throughout the application via specific function in all languages and DO NOT push the env file to github . In place of actual file just create a dummy file like .env.example with sample env variable name and random values so that if someone needs to setup the same project the env file can be referred and actual keys/passwords can be used on the local machine.While deploying to heroku just add the required variable in config vars in setting.

The variables such as Mailgun API key, stripw KEY etc should be added in .env file so that they can be called in any specific file, change all the variables statically added to file to env file and call by their key, In this way you can sync all the environment such as local,staging and production even without the credentials on github. Eg if we need to add service password it should be like GOOGLE_PLACE_PASSWORD as key holding the value in all three environment, so locally it should be in .env file and on staging/production it should be listed as config variables under settings.


What we expect



As explained above how critical is having the credentials on the github , so we expect the below to be followed in each repository:
No API KEY
No Username/Password
No URLs such as Database url, Redis url etc
No any other sensitive data such as email details etc



What if you accidentally added the credentials to github


While pushing the code if someone accidentally committed and pushed a credentials file , then the file can be deleted from github. If you try to delete the file, committing then pushing but it still shows the file when anyone with access to repository browse github files in the history.so there is solution to this, the file can be deleted along with removing it from the github history , the below steps will explain the process :

The file can be removed with the help of filter-branch :

git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
cd YOUR-REPOSITORY
git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA' \ --prune-empty --tag-name-filter cat -- --all
$ echo "YOUR-FILE-WITH-SENSITIVE-DATA" >> .gitignore $ git add .gitignore $ git commit -m "Add YOUR-FILE-WITH-SENSITIVE-DATA to .gitignore"
git push origin --force --all


Additional :
Apart from the credentials being not sent to github , there should be no certificate file need to pushed to github.Also do not print the environment variable and system info using phpinfo on any url or in any file which can expose your secret credentials.
No certificates on github
Do Not print environment variable


Comments

Post a Comment

Popular posts from this blog

Securing Your Emails: A Simple Guide to Email Authentication and Best Practices

Email security is crucial in today's digital landscape, and implementing authentication measures like DMARC, SPF, and DKIM can go a long way in safeguarding your domain. Here's an easy-to-follow guide to ensure your emails are authenticated and delivered securely: 1. Implement DMARC, SPF, and DKIM: Follow these steps for popular email services: Postmark Refer to the instructions provided in this link SendGrid Check the relevant information on their platform. Mailchimp Follow the recommended steps on their platform. 2. Validate Forward and Reverse DNS Records: Make sure your sending domains or IPs have valid forward and reverse DNS records (PTR records). Check resources for each service: Postmark Provides coverage for this aspect. SendGrid  Find the necessary information here Mailchimp Follow the guidelines specified by Mailchimp. 3. Maintain Low Spam Rates: Keep spam rates below 0.3% in Postmaster Tools and consider configuring Google Postmaster for additional insights into
Post a Comment
Read more

Sending Emails in Laravel with Gmail SMTP

This post will help you to fix issue like  Error : Swift_TransportException in StreamBuffer . php line 268 : Connection could not be established with host smtp . gmail . com [ Connection refused #111] Sending emails is crucial for any web application. Usually, an email is sent to notify the user of some kind of activity.Here are the steps to send email in laravel using Gmail SMTP. Generally Gmail is not recommended to send emails on live server, but if you just using it for testing purpose then follow these steps: 1. Visit   https://myaccount.google.com/security   make sure you have allowed  less secure app  to YES. 2. Unlock captcha on  https://accounts.google.com/b/0/DisplayUnlockCaptcha . 3. Generate APP password  Turn on 2-Step Verification for your account  https://myaccount.google.com/security. Your app might not support the latest security standards. Try changing a few settings to allow less secure apps access to your account. After enabling 2-Step V
Post a Comment
Read more

NGROK for Laravel

Share Your Local PHP/Laravel  using Ngrok This post shows how to share your Laravel Framework Installation on Ubuntu but you can perform the same with other operating systems as well. What is Ngrok ngrok is a simplified API-first ingress-as-a-service that adds connectivity,security, and observability to your apps in one line.It allows you to create a tunnel very fast for free and Laravel has an internal webserver that can be used without configuration. Why Ngrok Ngrok allows developers to expose their locally hosted applications to the internet, which is useful for testing and debugging purposes. It eliminates the need to deploy the application to a remote server for testing, saving time and effort.Mostly Ngrok is used where we need to test webhook locally.Ngrok enables developers to receive these webhooks on their local machine, facilitating the development and testing of webhook-based functionality. How to use Ngrok Assuming you have Laravel installed correctly, you can follow
Post a Comment
Read more