Comments (10)
To be blunt, I think it is a very bad practice to put things like connectionstrings (even if they're development settings) in a git repo.
I believe this has just been done for ease of use, so that every developer is directly up to speed without having to setup some kind of configuration, but there are better ways to tackle this imo. Secrets can be stored by the ASP.NET SecretManager or in a centralized secure secret store. I think no shortcuts should be taken on security in favor of ease-of-use; especially for a government backed application who's source code is publicly available. But these are just my 2 cents :)
from nl-covid19-notification-app-backend.
To be blunt, I think it is a very bad practice to put things like connectionstrings (even if they're development settings) in a git repo.
I believe this has just been done for ease of use, so that every developer is directly up to speed without having to setup some kind of configuration, but there are better ways to tackle this imo. Secrets can be stored by the ASP.NET SecretManager or in a centralized secure secret store. I think no shortcuts should be taken on security in favor of ease-of-use; especially for a government backed application who's source code is publicly available. But these are just my 2 cents :)
To add to this. This is not the first time secrets are 'leaked' in this repo(#7) and there are more extreme cases where data was leaked in a git repo (ironically for a corona tracking app for the Dutch government). Even though the keys and secrets are not used in production, you don't want people to think you're handling keys/secrets like amateurs
from nl-covid19-notification-app-backend.
More secrets can be found here and here
from nl-covid19-notification-app-backend.
Thanks for keeping an eye on this! The docker setup is intended to be a standalone server for development purposes, so making sure the components can talk to each other is intentional. In production setups such secrets will be provided through configuration management.
I’ll ask the team to verify, just in case, and add comments where applicable.
from nl-covid19-notification-app-backend.
The passwords in docker, the appsettings.Development.json and in the angular environments are all development settings. The production settings are stored in another system which the developers don't have access to :)
from nl-covid19-notification-app-backend.
I can't speak for the other developers but my local settings are totally different from the settings we've provided for the docker deployment.
from nl-covid19-notification-app-backend.
again? 😳
from nl-covid19-notification-app-backend.
Comparing this to an actual data leak is apples and oranges, but point taken. The same fix as for #7 could probably be applied here. I’ll leave this open for now. Given that it’s a process improvement / best practice and not an actual leak, I’ll adjust the title to ‘developer level connection strings should be generated’. Agreed?
from nl-covid19-notification-app-backend.
To be blunt, I think it is a very bad practice to put things like connectionstrings (even if they're development settings) in a git repo.
I believe this has just been done for ease of use, so that every developer is directly up to speed without having to setup some kind of configuration, but there are better ways to tackle this imo. Secrets can be stored by the ASP.NET SecretManager or in a centralized secure secret store. I think no shortcuts should be taken on security in favor of ease-of-use; especially for a government backed application who's source code is publicly available. But these are just my 2 cents :)
Agreed and we've clarified the README.md
for local quickstart development docker usage only in the upcoming sync. But I love to see your contributions on this point, do not hesitate to make a PR to improve the local docker development secrets. Keep in mind that we still want to enable app developers and testers to quickly start the latest version of the Standalone Server via docker without having to fuzzle with all different configs.
from nl-covid19-notification-app-backend.
This was resolved a couple of months ago, so I'm closing the ticket.
from nl-covid19-notification-app-backend.
Related Issues (14)
- Please spell PostgreSQL correctly in the README HOT 16
- remove the private key from the repository HOT 3
- You might not want to store private keys on github HOT 1
- Private key visible inside the sources HOT 2
- Consider serving a security.txt file HOT 8
- Scope of this project HOT 4
- Concerns on scalability and security
- 2020-08-19: [VWS/Covid19NotificationApp] HOT 4
- Concern : In the unit-tests, run WireMock.Net on a random port instead of fixed port HOT 2
- Decoy probability constant HOT 1
- Using docker-compose fails HOT 2
- Running in Docker on Linux fails HOT 2
- docker build HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nl-covid19-notification-app-backend.