Got a git guardian warning about API_TOKEN_SALT by creating new strapi project
Hi, I've never used railway before and was playing around deploying a strapi backend. I linked the correct repo on github but at some point it created a brand new repo in github for me called strapi (a self hosted starter or something like that) and then I got a git guardian warning email about an API_TOKEN_SALT secret exposed in a docker file that I have no idea about/where it came from. I quickly deleted the project and repo. But I was just wondering if this was anything to worry about/where I went wrong?
34 Replies
Project ID:
N/A
N/A
Hi, Brody, thanks! The repo was a totally fresh strapi project generated by railway and I'm not even sure what the salt was for or why it was there, do you know why this would be, it wasn't a repo I had made
well the railway strapi template doesn't have a dockerfile, so could you show me the email from git guardian?
<my github>/strapi
Dockerfile
Generic High Entropy Secret
FROM node:16-alpine3.14
WORKDIR /app
COPY yarn.lock package.json /app/
RUN yarn install
COPY . /app
ARG PGDATABASE PGHOST PGPASSWORD PGPORT PGUSER PORT CLOUDINARY_KEY CLOUDINARY_NAME CLOUDINARY_SECRET NODE_ENV ADMIN_JWT_SECRET JWT_SECRET API_TOKEN_SALT=<this is where the exposed salt was>
ENV PGDATABASE=$PGDATABASE PGHOST=$PGHOST PGPASSWORD=$PGPASSWORD PGPORT=$PGPORT PGUSER=$PGUSER PORT=$PORT CLOUDINARY_KEY=$CLOUDINARY_KEY CLOUDINARY_NAME=$CLOUDINARY_NAME CLOUDINARY_SECRET=$CLOUDINARY_SECRET NODE_ENV=$NODE_ENV ADMIN_JWT_SECRET=$ADMIN_JWT_SECRET JWT_SECRET=$JWT_SECRET API_TOKEN_SALT=$API_TOKEN_SALT
RUN yarn build
EXPOSE $PORT
CMD yarn start
No newline at end of file
this is the file
the email just said '2 secrets detected!' with links to them
screenshot of email please, a picture is worth 1000 words
one of the warnings on git guardian was from [email protected]
the railway strapi template hasn't had a dockerfile since June 4th 2022
the dockerfile you sent does match the dockerfile that was deleted on June 5th 2022
so you must have tried to deploy a really old fork
fairly new to hosting apps on the cloud and secrets being exposed freaks me out, especially when I have no idea where they came from
ah, i just followed the instructions on railway
can you link those instructions here?
I can't link them as they were just following page by page on railway
but it was create a new project
select strapi as a template, which it says 'This template includes 1 GitHub service and 1 database'
it then says
Repository details
Where should we clone this repo?
and lists my github, which I've just realised is where the repo came from
Can you link the page?
sounds like you’re reading off one
they just clicked the "+ new project" button in the dashboard
https://railway.app/new/template/strapi
at some point I gave access to my desired strapi backend (can't remember at what step), and I just assumed that would be used, I didn't realise I was cloning a repo
after I clicked deploy and it had deployed, I got the email from git guardian
okay i think i have an idea, i will test and get back to you
Just to ease my anxiety, if I've deleted both the github repo and the railway project/postgresql db completely, the salt that was exposed should be useless now, right?
ps, thanks for your quick help regarding this, I've also never used discord before
did you put data into strapi?
I created some environment variables on railway for cloud storage and the only thing I created on the strapi api was an admin user
that's when I realised it wasn't the backend I thought was deployed as none of my tables were there that were supposed to be
then you're fine
cool, so, what did I do wrong?
when did you sign up for a railway account
yesterday I think
well then its not like you could have the strapi template from 2022 sitting in your github
so i dont actually know, i dont think you did do anything wrong, railway's systems might have just had a little hiccup
I only started using strapi like 2 days ago too, and only created my own strapi repo an hour or so before I tried to deploy it on railway
i really dont know what could have gone wrong, but im confident it wasn't your fault
wanna try again?
no worries, I've had one of those days tbh. I told myself to wait until tomorrow to try deploy it too, but was impatient.
i promise, it wasnt your fault
I'll try again over the weekend, maybe. I mainly wanted to check I hadn't stupidly exposed some secret and my shiny new cloud account that I spent way too long setting up were doomed.
Thanks for the reassurance.
they arent, all the secrets you entered into railway are still secure
once you try again, check if the comment on the deploy matches the latest comment on the repo, if it doesn't come back here and ping me
Thanks! It was the confusion of the new strapi repo and git guardian/docker warning that totally threw my off as to what was going on - I thought I'd been super cautious.
Okay, will do.
Thanks for your help and reassurance, Brody!
no problem!
hmm