Got a git guardian warning about API_TOKEN_SALT by creating new strapi project

Hi, I've never used railway before and was playing around deploying a strapi backend. I linked the correct repo on github but at some point it created a brand new repo in github for me called strapi (a self hosted starter or something like that) and then I got a git guardian warning email about an API_TOKEN_SALT secret exposed in a docker file that I have no idea about/where it came from. I quickly deleted the project and repo. But I was just wondering if this was anything to worry about/where I went wrong?
34 Replies
Percy
Percy2y ago
Project ID: N/A
dreamingofsoy
dreamingofsoyOP2y ago
N/A
dreamingofsoy
dreamingofsoyOP2y ago
Hi, Brody, thanks! The repo was a totally fresh strapi project generated by railway and I'm not even sure what the salt was for or why it was there, do you know why this would be, it wasn't a repo I had made
Brody
Brody2y ago
well the railway strapi template doesn't have a dockerfile, so could you show me the email from git guardian?
dreamingofsoy
dreamingofsoyOP2y ago
<my github>/strapi Dockerfile Generic High Entropy Secret FROM node:16-alpine3.14 WORKDIR /app COPY yarn.lock package.json /app/ RUN yarn install COPY . /app ARG PGDATABASE PGHOST PGPASSWORD PGPORT PGUSER PORT CLOUDINARY_KEY CLOUDINARY_NAME CLOUDINARY_SECRET NODE_ENV ADMIN_JWT_SECRET JWT_SECRET API_TOKEN_SALT=<this is where the exposed salt was> ENV PGDATABASE=$PGDATABASE PGHOST=$PGHOST PGPASSWORD=$PGPASSWORD PGPORT=$PGPORT PGUSER=$PGUSER PORT=$PORT CLOUDINARY_KEY=$CLOUDINARY_KEY CLOUDINARY_NAME=$CLOUDINARY_NAME CLOUDINARY_SECRET=$CLOUDINARY_SECRET NODE_ENV=$NODE_ENV ADMIN_JWT_SECRET=$ADMIN_JWT_SECRET JWT_SECRET=$JWT_SECRET API_TOKEN_SALT=$API_TOKEN_SALT RUN yarn build EXPOSE $PORT CMD yarn start No newline at end of file this is the file the email just said '2 secrets detected!' with links to them
Brody
Brody2y ago
screenshot of email please, a picture is worth 1000 words
dreamingofsoy
dreamingofsoyOP2y ago
dreamingofsoy
dreamingofsoyOP2y ago
one of the warnings on git guardian was from [email protected]
Brody
Brody2y ago
the railway strapi template hasn't had a dockerfile since June 4th 2022 the dockerfile you sent does match the dockerfile that was deleted on June 5th 2022 so you must have tried to deploy a really old fork
dreamingofsoy
dreamingofsoyOP2y ago
fairly new to hosting apps on the cloud and secrets being exposed freaks me out, especially when I have no idea where they came from ah, i just followed the instructions on railway
Brody
Brody2y ago
can you link those instructions here?
dreamingofsoy
dreamingofsoyOP2y ago
I can't link them as they were just following page by page on railway but it was create a new project select strapi as a template, which it says 'This template includes 1 GitHub service and 1 database' it then says Repository details Where should we clone this repo? and lists my github, which I've just realised is where the repo came from
Adam
Adam2y ago
Can you link the page? sounds like you’re reading off one
Brody
Brody2y ago
they just clicked the "+ new project" button in the dashboard
dreamingofsoy
dreamingofsoyOP2y ago
https://railway.app/new/template/strapi at some point I gave access to my desired strapi backend (can't remember at what step), and I just assumed that would be used, I didn't realise I was cloning a repo after I clicked deploy and it had deployed, I got the email from git guardian
Brody
Brody2y ago
okay i think i have an idea, i will test and get back to you
dreamingofsoy
dreamingofsoyOP2y ago
Just to ease my anxiety, if I've deleted both the github repo and the railway project/postgresql db completely, the salt that was exposed should be useless now, right? ps, thanks for your quick help regarding this, I've also never used discord before
Brody
Brody2y ago
did you put data into strapi?
dreamingofsoy
dreamingofsoyOP2y ago
I created some environment variables on railway for cloud storage and the only thing I created on the strapi api was an admin user that's when I realised it wasn't the backend I thought was deployed as none of my tables were there that were supposed to be
Brody
Brody2y ago
then you're fine
dreamingofsoy
dreamingofsoyOP2y ago
cool, so, what did I do wrong?
Brody
Brody2y ago
when did you sign up for a railway account
dreamingofsoy
dreamingofsoyOP2y ago
yesterday I think
Brody
Brody2y ago
well then its not like you could have the strapi template from 2022 sitting in your github so i dont actually know, i dont think you did do anything wrong, railway's systems might have just had a little hiccup
dreamingofsoy
dreamingofsoyOP2y ago
I only started using strapi like 2 days ago too, and only created my own strapi repo an hour or so before I tried to deploy it on railway
Brody
Brody2y ago
i really dont know what could have gone wrong, but im confident it wasn't your fault wanna try again?
dreamingofsoy
dreamingofsoyOP2y ago
no worries, I've had one of those days tbh. I told myself to wait until tomorrow to try deploy it too, but was impatient.
Brody
Brody2y ago
i promise, it wasnt your fault
dreamingofsoy
dreamingofsoyOP2y ago
I'll try again over the weekend, maybe. I mainly wanted to check I hadn't stupidly exposed some secret and my shiny new cloud account that I spent way too long setting up were doomed. Thanks for the reassurance.
Brody
Brody2y ago
they arent, all the secrets you entered into railway are still secure once you try again, check if the comment on the deploy matches the latest comment on the repo, if it doesn't come back here and ping me
dreamingofsoy
dreamingofsoyOP2y ago
Thanks! It was the confusion of the new strapi repo and git guardian/docker warning that totally threw my off as to what was going on - I thought I'd been super cautious. Okay, will do. Thanks for your help and reassurance, Brody!
Brody
Brody2y ago
no problem!
alex
alex2y ago
hmm
Want results from more Discord servers?
Add your server