Infisical
Fix: Add secret referencing (Fixes Issue #18)
Currently the Node SDK doesn't support secret referencing. This PR fixes Issue #18
NESTED_SECRET_1 = ${NESTED_SECRET_2}
NESTED_SECRET_2 = ${NESTED_SECRET_3}
NESTED_SECRET_3 = DEEPLY_NESTED_SECRET
Each of these secrets should resolve to: "DEEPLY_NESTED_SECRET".
PROTOCOL= "https"
HOSTNAME= "www.infisical.com"
FULL_HOST= ${PROTOCOL}://${HOSTNAME}
The FULL_HOST secret should resolve to: "https://www.infisical.com" (ie. a URL).
In a "db-secrets" folder in the "dev" directory:
USERNAME= "admin2023"
PASSWORD= "Supersecret123"
PORT= "4000"
DB_NAME = "dev"
Then in the "dev" directory:
MONGO_URL = mongodb://${dev.db-secrets.USERNAME}:${dev.db-secrets.PASSWORD}@${HOSTNAME}:${dev.db-secrets.PORT}/${dev.db-secrets.DB_NAME}
The MONGO_URL secret should resolve to: "mongodb://admin2023:[email protected]:4000/dev" (ie. a Mongo DB connection URI).
A development file (dev.js) is included to assist with creating & fetching secret references. Unit tests have been updated & fix applied for one.
TODO:
- Fix getSecret for secret references (WIP) - issue with caching or expandSecrets setup
- Fix secret references from other folders & environments (DONE - for getAllSecrets):
- Fix support for creating secrets in new folders to allow for seamless unit tests (out-of-scope - another PR)
⚠️ GitGuardian has uncovered 4 secrets following the scan of your pull request.
Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.
🔎 Detected hardcoded secrets in your pull request
| GitGuardian id | Secret | Commit | Filename | |
|---|---|---|---|---|
| - | MongoDB Credentials | e02898c0f29c80de994f1ce378ab9a4963b8d73c | tests/client/InfisicalClient.test.ts | View secret |
| - | MongoDB Credentials | b3e0bdd9aa52e0988357475e82360ca49580fed5 | dev.js | View secret |
| - | MongoDB Credentials | b3e0bdd9aa52e0988357475e82360ca49580fed5 | dev.js | View secret |
| - | MongoDB Credentials | b3e0bdd9aa52e0988357475e82360ca49580fed5 | dev.js | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
![gitguardian[bot] avatar](https://avatars.githubusercontent.com/in/46505?v=4 "Published by a pub.dev verified publisher"){kind=small}
Any news about this PR? I would be so nice to have the secret referencing in the node SDK.
Any news about this PR? I would be so nice to have the secret referencing in the node SDK.
hi @devilmark84 the code I've submitted works well for pulling multiple secrets with nested references (like the examples) - feel free to refactor it if you want to fetch a single secret and edit this PR. but I won't be submitting new code to infisical...
Any news about this PR? I would be so nice to have the secret referencing in the node SDK.
hi @devilmark84 the code I've submitted works well for pulling multiple secrets with nested references (like the examples) - feel free to refactor it if you want to fetch a single secret and edit this PR. but I won't be submitting new code to infisical...
Thank you very much for your work on the code! I'd like to understand what's behind this sentence: "I won't be submitting new code to infisical..."
Will shoot to review/merge this sometime in the next week folks.
Any news?
@devilmark84 Probably sometime end of week; there's a lot of ongoing development at the moment across the codebase.
@devilmark84 Probably sometime end of week; there's a lot of ongoing development at the moment across the codebase.
Any news? This feature is so important...