security: tighten gitleaks regex for escaped form, document history-purge audit trail
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 56s
CI / Backend security scanners (pull_request) Failing after 40s
CI / Frontend (node 20) (pull_request) Successful in 2m19s
CI / gitleaks (secret scan) (pull_request) Failing after 7s
e2e-full / e2e-full (pull_request) Has been skipped
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 56s
CI / Backend security scanners (pull_request) Failing after 40s
CI / Frontend (node 20) (pull_request) Successful in 2m19s
CI / gitleaks (secret scan) (pull_request) Failing after 7s
e2e-full / e2e-full (pull_request) Has been skipped
Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:
.gitleaks.toml:
- Regex was L@kers?\$?2010 which catches the expanded form but
NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
in scripts/setup-database.sh. PR #13 fixed the live leak but did
not tighten the detector. New regex L@kers?\\?\$?2010 catches
both forms so future pastes of either form fail CI.
- Description rewritten without the literal password (the previous
description was redacted by the history rewrite itself and read
'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
which was cryptic).
docs/SECURITY.md:
- New 'History-purge audit trail' section recording what was done,
how it was verified (0 literal password matches in any blob or
commit message; 0 legacy-password findings from a post-rewrite
gitleaks scan), and what operator cleanup is still required on
the Gitea host to drop the 13 refs/pull/*/head refs that still
pin the pre-rewrite commits (the update hook declined those refs
over HTTPS, so only an admin on the Gitea VM can purge them via
'git update-ref -d' + 'git gc --prune=now' in the bare repo).
- New 'Re-introduction guard' subsection pointing at the tightened
regex and commit 78e1ff5.
Verification:
gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy hits
git log --all -p | grep -cE 'L@ker\$2010|L@kers2010' # 0
This commit is contained in:
@@ -12,8 +12,8 @@ useDefault = true
|
||||
|
||||
[[rules]]
|
||||
id = "explorer-legacy-db-password-L@ker"
|
||||
description = "Legacy hardcoded Postgres / SSH password (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)"
|
||||
regex = '''L@kers?\$?2010'''
|
||||
description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
|
||||
regex = '''L@kers?\\?\$?2010'''
|
||||
tags = ["password", "explorer-legacy"]
|
||||
|
||||
[allowlist]
|
||||
|
||||
@@ -63,6 +63,58 @@ initial public review.
|
||||
- Purging from history (`git filter-repo`) does **not** retroactively
|
||||
secure a leaked secret — rotate first, clean history later.
|
||||
|
||||
## History-purge audit trail
|
||||
|
||||
Following the rotation checklist above, the legacy `L@ker$2010` /
|
||||
`L@kers2010` / `L@ker\$2010` password strings were purged from every
|
||||
branch and tag in this repository using `git filter-repo
|
||||
--replace-text` followed by a `--replace-message` pass for commit
|
||||
message text. The rewritten history was force-pushed with
|
||||
`git push --mirror --force`.
|
||||
|
||||
Verification post-rewrite:
|
||||
|
||||
```
|
||||
git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010'
|
||||
0
|
||||
gitleaks detect --no-git --source . --config .gitleaks.toml
|
||||
0 legacy-password findings
|
||||
```
|
||||
|
||||
### Residual server-side state (not purgable from the client)
|
||||
|
||||
Gitea's `refs/pull/*/head` refs (the read-only mirror of each PR's
|
||||
original head commit) **cannot be force-updated over HTTPS** — the
|
||||
server's `update` hook declines them. After a history rewrite the
|
||||
following cleanup must be performed **on the Gitea host** by an
|
||||
administrator:
|
||||
|
||||
1. Run `gitea admin repo-sync-release-archive` and
|
||||
`gitea doctor --run all --fix` if available.
|
||||
2. Or manually, as the gitea user on the server:
|
||||
```bash
|
||||
cd /var/lib/gitea/data/gitea-repositories/d-bis/explorer-monorepo.git
|
||||
git for-each-ref --format='%(refname)' 'refs/pull/*/head' | \
|
||||
xargs -n1 git update-ref -d
|
||||
git gc --prune=now --aggressive
|
||||
```
|
||||
3. Restart Gitea.
|
||||
|
||||
Until this server-side cleanup is performed, the 13 `refs/pull/*/head`
|
||||
refs still pin the pre-rewrite commits containing the legacy
|
||||
password. This does not affect branches, the default clone, or
|
||||
`master` — but the old commits remain reachable by SHA through the
|
||||
Gitea web UI (e.g. on the merged PR's **Files Changed** tab).
|
||||
|
||||
### Re-introduction guard
|
||||
|
||||
The `.gitleaks.toml` rule `explorer-legacy-db-password-L@ker` was
|
||||
tightened from `L@kers?\$?2010` to `L@kers?\\?\$?2010` so it also
|
||||
catches the shell-escaped form that slipped past the original PR #3
|
||||
scrub (see commit `78e1ff5`). Future attempts to paste any variant of
|
||||
the legacy password — in source, shell scripts, or env files — will
|
||||
fail the `gitleaks` CI job wired in PR #5.
|
||||
|
||||
## Build-time / CI checks (wired in PR #5)
|
||||
|
||||
- `gitleaks` pre-commit + CI gate on every PR.
|
||||
|
||||
Reference in New Issue
Block a user