All geek questions in one place

How to protect database credentials stored in Laravel environment files?

I recently switched to deploying environment-based applications for Laravel, and I decided to save the credentials for my local and production server in .env files using $ _ENV, however I found that when debugging is turned on and an exception as a result of this error, environment variables are displayed showing database credentials.

Now I'm sure that debugging will always be turned off, because this is what I have by default, then I redefine it in a local folder for my local environment, however, if if somehow debugs is turned on during production, and the user forces exclude 404, all they need to do is read the page down until you see environment variables in a simple view that reveal credentials. In the documents, he said that for any "real" application, it is best to use the database credentials from the actual configuration. I can be a little paranoid here.

Is there a way to limit what is shown on the debug screen displayed by laravel?

+6
source share
2 answers

I recently ran into the same problem while the project I was working on required me to temporarily open my machine to the evil outside world in order to test some API callbacks.

Thus, I revealed all my precious keys and passwords whenever whoops . Even if it was a blind API callback machine, the likelihood that they will log responses to their requests, and some engineers sift through them and find some AWS keys, is not appreciated.

Here is what I am using now:

 App::error(function (Exception $exception, $code) { // Never, ever, use environment variables in responses, not even when debugging $_SERVER = array_except($_SERVER, array_keys($_ENV)); $_ENV = []; });
+5
source

Laravel uses Whoops ( filp/whoops ) to create a debug page, and you can see here that uses $_ENV to get environment variables. Although not ideal, you can simply remove $_ENV in case the error occurs in any environment other than local.

This is quite simple to do by simply rewriting App::error (and possibly App::fatal too) into app/start/global.php something like this:

 App::error(function(Exception $exception, $code) { Log::error($exception); if (App::environment() !== 'local') { $_ENV = []; } });

This works because the exception handler is called before the Whoops handler.

Now the right, best way to do this is to create a class that extends Whoops\Handler\PrettyPageHandler that does not display environment variables or does not change any other unwanted behavior and, based on the environment, registers it as a whoops.handler component for your application, similar to how it done on Illuminate\Exception\ExceptionServiceProvider:registerPrettyWhoopsHandler . I do not think that it is worth all the trouble.

+3
source

Source: https://habr.com/ru/post/973850/

More articles:


All Articles