C
C#2mo ago
TrattTratt

ASP.NET Core, prevent environment variables being exposed in launchsettings.json

I made my github repository public and immediately got an email from SendGrid saying my api key has been disabled cuz It was detected somewhere public. How do I tackle this, cuz all envarionment variables are in launchsettings? New to envirnoment variables. Prevent laucnhsetting.json from being pushed to GitHub?
12 Replies
FusedQyou
FusedQyou2mo ago
Secrets! Simplest way, use Environment.GetEnvironmentVariable and get a secret that way
TrattTratt
TrattTrattOP2mo ago
okay thanks, AI said I could GitIgnore launchsettings if thats easier?
FusedQyou
FusedQyou2mo ago
Generally these are ignored but I don't do it I don't have a lot in launchsettings so it's valid for everybody, but it sounds like you store data in there Generally I just place data in appsettings, unless it's confidential like keys In that case they go into a secret
TrattTratt
TrattTrattOP2mo ago
okey Ill try to make it secret, thank you
FusedQyou
FusedQyou2mo ago
One thing I did was make this extension method: 
internal static class ConfigurationUtils
{
    internal static string ParseConfigurationEntry(string entry)
    {
        const string secretPrefix = "secret:";
        var isSecret = entry.StartsWith(secretPrefix, StringComparison.OrdinalIgnoreCase);
        if (isSecret)
        {
            entry = entry[secretPrefix.Length..];
            var environmentVariable = Environment.GetEnvironmentVariable(entry);
            if (string.IsNullOrEmpty(environmentVariable))
            {
                throw new ArgumentNullException(nameof(environmentVariable), "Missing `" + environmentVariable + "` environment variable.");
            }

            return environmentVariable;
        }

        return Environment.ExpandEnvironmentVariables(entry);
    }
}
internal static class ConfigurationUtils
{
    internal static string ParseConfigurationEntry(string entry)
    {
        const string secretPrefix = "secret:";
        var isSecret = entry.StartsWith(secretPrefix, StringComparison.OrdinalIgnoreCase);
        if (isSecret)
        {
            entry = entry[secretPrefix.Length..];
            var environmentVariable = Environment.GetEnvironmentVariable(entry);
            if (string.IsNullOrEmpty(environmentVariable))
            {
                throw new ArgumentNullException(nameof(environmentVariable), "Missing `" + environmentVariable + "` environment variable.");
            }

            return environmentVariable;
        }

        return Environment.ExpandEnvironmentVariables(entry);
    }
}
The idea is that appsettings can still hold data in development so it's easier and this is not confidential However, in production they are replaced with the secret that I can find the data from Then it's like this: Dev 
"DataConfiguration": {
  "ConnectionString": "DataSource=%TEMP%/Project/app.db"
},
"DataConfiguration": {
  "ConnectionString": "DataSource=%TEMP%/Project/app.db"
},
Prod 
"DataConfiguration": {
  "ConnectionString": "secret:CONNECTIONSTRING"
}
"DataConfiguration": {
  "ConnectionString": "secret:CONNECTIONSTRING"
}
Very simple abstraction keeps it easy to develop anywhere, but ensures no confidential data leak when published for production
TrattTratt
TrattTrattOP2mo ago
okay Ill try to maye it a secret to start with, as its a sensitive Api key
FusedQyou
FusedQyou2mo ago
I would advice you just make it a secret regardless I don't have sensitive API keys myself but it would work in your case too. Both instances just have to read from a secret
TrattTratt
TrattTrattOP2mo ago
okay Ill try thanks a lot
Unknown User
Unknown User2mo ago
Message Not Public
Sign In & Join Server To View
FusedQyou
FusedQyou2mo ago
I'd love to see a proper solution for both cases instead of "don't do this"
Unknown User
Unknown User2mo ago
Message Not Public
Sign In & Join Server To View
TrattTratt
TrattTrattOP2mo ago
Ill have a look, thanks
Want results from more Discord servers?
Add your server