Tell HN: Github has dozens of public s3 passwords
I almost pushed my s3 credentials to a public github repo for the third time in one day.
So, I got curious. Are there people out there who forget cover their tracks?
A quick search shows quite a few 'open' buckets out there. What's the best way to warn these folks? What other credentials are lurking out there?
Here's the search: http://github.com/search?langOverride=&language=&q=S3+Base.establish_connection&repo=&start_value=1&type=Code&x=0&y=0
And the first open bucket I found: http://github.com/prakashraman/jammmin/blob/a668672c69fafdb8317fec4fb19b7abb0b318e1a/app/scripts/s3_connect.rb
30 comments
[ 2.9 ms ] story [ 75.0 ms ] threadI concocted the following command to change all mentions of a specific word to another word, in a git repository:
Use this to check if there are any mentions of some word, e.g. your password, in the repository:Sure, posting that on HN is a good way...
Send them a message on GitHub, perhaps?
Don't forget to make it a private discussion.
PS: I do it all the time on my private repos but I try to not do it on the public ones.
Just put "from localsettings import *" in your settings-file, and keep all deployment-specific settings in the localsettings-file
http://help.github.com/removing-sensitive-data/
Mark the file as excluded from svn/git.
Make a settings.sample file for the project.
...this kind of thing doesn't have to be Heroku-specific, though.
You can use any number of very low-barrier strategies to solve this. One that was mentioned a few times in this thread is to use environment variables. Personally I just put a {whatever}.yml or similar in my project tree somewhere and throw it in .gitignore.
I can't imagine a process that starts with "go to westorecredentials.com and sign up..." being any easier. Willing to be surprised :)
Here's my solution - github 'extends' git somehow, so files can be marked private. Then, unless you have commit rights to that repo, you can't see the file's contents. So a public http checkouts lacks the secret password.
And because it's git, someone you give commit rights to is someone you trust. People you don't trust can just make their own repo.
Just because it isn't in a public repo on GitHub doesn't mean it isn't versioned properly. Quite the contrary, I use git locally and on a personal webserver for tons of stuff.
The point isn't that it shouldn't go into git. It's that it doesn't belong as part of your project. Different config options are often needed on each machine, especially development boxes. I don't have the same database.yml as my co-workers... I have my box in production mode or with memcache off for testing purposes maybe... There's tons of stuff like that.
I still keep those files (along with my ~/.git/config, ~/.ssh/config, .gemrc, ~/.profile, ~/.vim* and a hundred other things) in git, just not on GitHub in a public repo.
I just sent this to a few people (including someone who had forked one of my projects and added their S3 keys to a config file):
Noticed you have your Amazon S3 keys out in the open on github. You might want to remove those config files from your repository as described in the thread here:
http://news.ycombinator.com/item?id=1574211
-Pete
Of course you'll need to include that sensitive data in the script, though the first few characters of AWS credentials should be unique enough.
I thought about setting up something similar for networking. If a packet contains my password in cleartext then pop up a warning allowing/denying (denying would have to force the connect to close, I guess). Might be too much overhead though.
http://github.com/roder/riakaws/blob/master/clouds.rb#L10
Thank you, kabuks, so much for noticing this. I have changed my S3 key pair and am getting to cleaning up my git commits.
My God ! But thanks so much.