58 lines
1.4 KiB
Markdown
58 lines
1.4 KiB
Markdown
# Security Remediation
|
|
|
|
## Immediate actions
|
|
|
|
1. Revoke and rotate any Gitea PAT previously stored in `backend/mappings.db`.
|
|
2. Rotate any secrets encrypted with historical `ENCRYPTION_KEY` values.
|
|
3. Reset affected local admin/test credentials if they ever existed outside disposable dev environments.
|
|
|
|
## Purge git history
|
|
|
|
The repository history contains binary databases with sensitive data. Rewrite history before treating the repository as clean.
|
|
|
|
Recommended targets:
|
|
|
|
- `backend/mappings.db`
|
|
- `backend/tasks.db`
|
|
- `backend/auth.db`
|
|
- `backend/backend/auth.db`
|
|
- `backend/test_auth_debug.py`
|
|
- `backend/test_decryption.py`
|
|
- `backend/test_encryption.py`
|
|
|
|
Example with `git filter-repo`:
|
|
|
|
```bash
|
|
git filter-repo \
|
|
--invert-paths \
|
|
--path backend/mappings.db \
|
|
--path backend/tasks.db \
|
|
--path backend/auth.db \
|
|
--path backend/backend/auth.db \
|
|
--path backend/test_auth_debug.py \
|
|
--path backend/test_decryption.py \
|
|
--path backend/test_encryption.py
|
|
```
|
|
|
|
After rewrite:
|
|
|
|
```bash
|
|
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
|
|
git reflog expire --expire=now --all
|
|
git gc --prune=now --aggressive
|
|
git push --force --all
|
|
git push --force --tags
|
|
```
|
|
|
|
Everyone with old clones must re-clone or hard-reset to the rewritten history.
|
|
|
|
## Ongoing checks
|
|
|
|
Run:
|
|
|
|
```bash
|
|
./scripts/scan_secrets.sh
|
|
```
|
|
|
|
before release and before pushing history-rewrite results.
|