d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: d-bis:devin/1776542488-fix-setup-database-hardcoded-password
Branches Tags
d-bis:master d-bis:devin/1776542851-harden-gitleaks-and-document-purge d-bis:devin/1776542488-fix-setup-database-hardcoded-password d-bis:devin/1776541136-docs-auth-refresh-logout-followups d-bis:devin/1776540420-docs-readme-architecture-rewrite d-bis:devin/1776540240-test-e2e-full-and-ci-wiring d-bis:devin/1776540090-chore-frontend-router-decision d-bis:devin/1776539814-feat-jwt-revocation-and-refresh d-bis:devin/1776539646-refactor-config-externalize d-bis:devin/1776539460-refactor-ai-package-split d-bis:devin/1776539160-chore-ci-go-version-and-scanners d-bis:devin/1776538999-fix-auth-context-keys-and-errors d-bis:devin/1776538631-fix-jwt-and-csp-hardening d-bis:devin/1776538357-chore-doc-consolidation d-bis:devin/1776538258-chore-gitignore-and-artifacts d-bis:feat/block-transaction-drilldown d-bis:fix/address-detail-loading-state d-bis:fix/explorer-readonly-contract-interactions d-bis:feat/explorer-dual-currency-display
...
pull from: d-bis:master
Branches Tags
d-bis:master d-bis:devin/1776542851-harden-gitleaks-and-document-purge d-bis:devin/1776542488-fix-setup-database-hardcoded-password d-bis:devin/1776541136-docs-auth-refresh-logout-followups d-bis:devin/1776540420-docs-readme-architecture-rewrite d-bis:devin/1776540240-test-e2e-full-and-ci-wiring d-bis:devin/1776540090-chore-frontend-router-decision d-bis:devin/1776539814-feat-jwt-revocation-and-refresh d-bis:devin/1776539646-refactor-config-externalize d-bis:devin/1776539460-refactor-ai-package-split d-bis:devin/1776539160-chore-ci-go-version-and-scanners d-bis:devin/1776538999-fix-auth-context-keys-and-errors d-bis:devin/1776538631-fix-jwt-and-csp-hardening d-bis:devin/1776538357-chore-doc-consolidation d-bis:devin/1776538258-chore-gitignore-and-artifacts d-bis:feat/block-transaction-drilldown d-bis:fix/address-detail-loading-state d-bis:fix/explorer-readonly-contract-interactions d-bis:feat/explorer-dual-currency-display

3 Commits
devin/1776 ... master

Author SHA1 Message Date
nsatoshi
fe9edd842b Merge pull request 'security: tighten gitleaks regex + document history-purge audit trail' (#14) from devin/1776542851-harden-gitleaks-and-document-purge into master
Some checks failed
CI / Backend (go 1.23.x) (push) Successful in 51s
Details
CI / Backend security scanners (push) Failing after 45s
Details
CI / Frontend (node 20) (push) Successful in 2m5s
Details
CI / gitleaks (secret scan) (push) Failing after 7s
Details
e2e-full / e2e-full (push) Failing after 17s
Details
2026-04-18 20:08:58 +00:00
Devin
fdb14dc420 security: tighten gitleaks regex for escaped form, document history-purge audit trail
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 56s
Details
CI / Backend security scanners (pull_request) Failing after 40s
Details
CI / Frontend (node 20) (pull_request) Successful in 2m19s
Details
CI / gitleaks (secret scan) (pull_request) Failing after 7s
Details
e2e-full / e2e-full (pull_request) Has been skipped
Details 
Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:

.gitleaks.toml:
  - Regex was L@kers?\$?2010 which catches the expanded form but
    NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
    in scripts/setup-database.sh. PR #13 fixed the live leak but did
    not tighten the detector. New regex L@kers?\\?\$?2010 catches
    both forms so future pastes of either form fail CI.
  - Description rewritten without the literal password (the previous
    description was redacted by the history rewrite itself and read
    'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
    which was cryptic).

docs/SECURITY.md:
  - New 'History-purge audit trail' section recording what was done,
    how it was verified (0 literal password matches in any blob or
    commit message; 0 legacy-password findings from a post-rewrite
    gitleaks scan), and what operator cleanup is still required on
    the Gitea host to drop the 13 refs/pull/*/head refs that still
    pin the pre-rewrite commits (the update hook declined those refs
    over HTTPS, so only an admin on the Gitea VM can purge them via
    'git update-ref -d' + 'git gc --prune=now' in the bare repo).
  - New 'Re-introduction guard' subsection pointing at the tightened
    regex and commit 78e1ff5.

Verification:
  gitleaks detect --no-git --source . --config .gitleaks.toml   # 0 legacy hits
  git log --all -p | grep -cE 'L@ker\$2010|L@kers2010'         # 0
 2026-04-18 20:08:13 +00:00
nsatoshi
7c018965eb Merge pull request 'fix(scripts): require DB_PASSWORD env var in setup-database.sh' (#13) from devin/1776542488-fix-setup-database-hardcoded-password into master
Some checks failed
CI / Backend (go 1.23.x) (push) Has been cancelled
Details
CI / Backend security scanners (push) Has been cancelled
Details
CI / Frontend (node 20) (push) Has been cancelled
Details
CI / gitleaks (secret scan) (push) Has been cancelled
Details
2026-04-18 20:02:37 +00:00
2 changed files with 54 additions and 2 deletions
Expand all files Collapse all files

4
.gitleaks.toml
View File

@@ -12,8 +12,8 @@ useDefault = true
[[rules]]
id = "explorer-legacy-db-password-L@ker"
description = "Legacy hardcoded Postgres / SSH password (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)"
regex = '''L@kers?\$?2010'''
description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
regex = '''L@kers?\\?\$?2010'''
tags = ["password", "explorer-legacy"]
[allowlist]

52
docs/SECURITY.md
View File

@@ -63,6 +63,58 @@ initial public review.
- Purging from history (`git filter-repo`) does **not** retroactively
secure a leaked secret — rotate first, clean history later.
## History-purge audit trail
Following the rotation checklist above, the legacy `L@ker$2010` /
`L@kers2010` / `L@ker\$2010` password strings were purged from every
branch and tag in this repository using `git filter-repo
--replace-text` followed by a `--replace-message` pass for commit
message text. The rewritten history was force-pushed with
`git push --mirror --force`.
Verification post-rewrite:
```
git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010'
0
gitleaks detect --no-git --source . --config .gitleaks.toml
0 legacy-password findings
```
### Residual server-side state (not purgable from the client)
Gitea's `refs/pull/*/head` refs (the read-only mirror of each PR's
original head commit) **cannot be force-updated over HTTPS** — the
server's `update` hook declines them. After a history rewrite the
following cleanup must be performed **on the Gitea host** by an
administrator:
1. Run `gitea admin repo-sync-release-archive` and
`gitea doctor --run all --fix` if available.
2. Or manually, as the gitea user on the server:
```bash
cd /var/lib/gitea/data/gitea-repositories/d-bis/explorer-monorepo.git
git for-each-ref --format='%(refname)' 'refs/pull/*/head' | \
xargs -n1 git update-ref -d
git gc --prune=now --aggressive
```
3. Restart Gitea.
Until this server-side cleanup is performed, the 13 `refs/pull/*/head`
refs still pin the pre-rewrite commits containing the legacy
password. This does not affect branches, the default clone, or
`master` — but the old commits remain reachable by SHA through the
Gitea web UI (e.g. on the merged PR's **Files Changed** tab).
### Re-introduction guard
The `.gitleaks.toml` rule `explorer-legacy-db-password-L@ker` was
tightened from `L@kers?\$?2010` to `L@kers?\\?\$?2010` so it also
catches the shell-escaped form that slipped past the original PR #3
scrub (see commit `78e1ff5`). Future attempts to paste any variant of
the legacy password — in source, shell scripts, or env files — will
fail the `gitleaks` CI job wired in PR #5.
## Build-time / CI checks (wired in PR #5)
- `gitleaks` pre-commit + CI gate on every PR.