From 78e1ff5dc8409acb73a4a221bbe4fd0567bf18b9 Mon Sep 17 00:00:00 2001 From: Devin Date: Sat, 18 Apr 2026 20:01:46 +0000 Subject: [PATCH] fix(scripts): require DB_PASSWORD env var in setup-database.sh PR #3 scrubbed ***REDACTED-LEGACY-PW*** from every env file, compose unit, and deployment doc but missed scripts/setup-database.sh, which still hard- coded DB_PASSWORD="***REDACTED-LEGACY-PW***" on line 17. That slipped past gitleaks because the shell-escaped form (backslash-dollar) does not match the L@kers?\$?2010 regex committed in .gitleaks.toml -- the regex was written to catch the *expanded* form, not the source form. This commit removes the hardcoded default and requires DB_PASSWORD to be exported by the operator before running the script. Same pattern as the rest of the PR #3 conversion (fail-fast at boot when a required secret is unset) so there is no longer any legitimate reason for the password string to live in the repo. Verification: git grep -nE 'L@kers?\\?\$?2010' -- scripts/ # no matches bash -n scripts/setup-database.sh # clean --- scripts/setup-database.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/setup-database.sh b/scripts/setup-database.sh index dfc9b63..0f2e14f 100644 --- a/scripts/setup-database.sh +++ b/scripts/setup-database.sh @@ -13,9 +13,15 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi -DB_USER="explorer" -DB_PASSWORD="***REDACTED-LEGACY-PW***" -DB_NAME="explorer" +DB_USER="${DB_USER:-explorer}" +DB_NAME="${DB_NAME:-explorer}" +if [ -z "${DB_PASSWORD:-}" ]; then + echo "ERROR: DB_PASSWORD environment variable must be set before running this script." >&2 + echo "Generate a strong value (e.g. openssl rand -base64 32) and export it:" >&2 + echo " export DB_PASSWORD=''" >&2 + echo " sudo -E bash scripts/setup-database.sh" >&2 + exit 1 +fi echo "Creating database user: $DB_USER" echo "Creating database: $DB_NAME"