All geek questions in one place

Open Source Projects: What to do with confidential / secret configuration data?

I am considering open source code search for my own Github website. Until this moment, I saved the code in a private repo, and my only problem is that there are several configuration files related to my production environment (DB passwords, API keys, etc.) that I do not want publicly.

What is the typical approach to openly search for such projects without providing private data? Do you just maintain two repos, public and identical private, with added private data, sometimes merging between them?

+6
source share
2 answers

In the case of Git, I would recommend that you add rules to your .gitignore to ignore files containing sensitive information ( .hgignore for Mercurial). Try to keep confidential information in one place as much as possible (for example, a settings file). If you are working with a web map, this information is usually in a single file (for example, in Django there is a settings.py file with information about the database, secret key, etc.). If you have confidential information rooted in different parts of the application, multiply the information by some configuration file or object.

If you want people to still know where the data comes from, include an example or a dummy file with fake data with a record somewhere (either in the file or in README) that the file should be modified. Then you can name the file, for example, settings.py.example and ignore the real settings.py .

Keeping multiple repositories is a bad idea. Just leave sensitive data and make sure that you make it obvious that it is not there and that it is missing so that people can still reuse your work.

+7
source

Logically, in fact, you can only do two things without revealing your confidential information:

  • Do not post information to the public VCS at all.
  • Provide information to VCS in a cryptographically secure manner.

I personally would not want to duplicate repositories, and if you need to deploy directly from VCS, then you will largely stay with option 2. Obviously, this will depend on your infrastructure, but in .NET, for example, d ensure that your connection strings and API keys were saved in the web.config file, then it was correctly encrypted (I will talk about this in the section "Encrypting confidential configuration data" OWASP Top 10 for .NET developers part 6: Incorrect security setting ).

With this approach, you put the necessary information in the configuration file so that it can be successfully executed on the computer where the encryption occurred, but not elsewhere. Try to run the application on another computer, and an exception will be thrown due to the difference in keys.

0
source

Source: https://habr.com/ru/post/886600/

More articles:


All Articles