38 lines
1.8 KiB
Bash
Executable File
38 lines
1.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Scan modified/ for common secret patterns. Exit 0 if none found, 1 if potential leak.
|
|
# Run from repo root or from modified/: ./scripts/check-no-secrets.sh
|
|
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
cd "$ROOT"
|
|
|
|
FOUND=0
|
|
|
|
# Google API key (Maps, etc.): AIza followed by 35 alphanumeric chars
|
|
if grep -rE --include="*.php" --include="*.dart" --include="*.yaml" --include="*.json" --include="*.md" 'AIza[0-9A-Za-z_-]{35}' . 2>/dev/null | grep -v node_modules | grep -v '.dart_tool' | grep -v '\.css\.map' | grep -q .; then
|
|
echo "check-no-secrets: possible Google Maps-style API key (AIza...) found. Do not reuse this key for FCM; keep client and server keys separate and move them to env/config."
|
|
FOUND=1
|
|
fi
|
|
|
|
# FCM legacy server key: AAAA followed by long base64-like string
|
|
if grep -rE --include="*.php" --include="*.dart" --include="*.yaml" --include="*.json" 'AAAA[0-9A-Za-z_-]{100,}' . 2>/dev/null | grep -v node_modules | grep -v '.dart_tool' | grep -q .; then
|
|
echo "check-no-secrets: possible FCM legacy server key (AAAA...) found. This must be different from any Google Maps client key and stored only in secure backend config."
|
|
FOUND=1
|
|
fi
|
|
|
|
# keyfcm = ... or define('keyfcm' with a long value (legacy)
|
|
if grep -rE --include="*.php" "keyfcm.*['\"][A-Za-z0-9_-]{20,}" . 2>/dev/null | grep -v node_modules | grep -q .; then
|
|
echo "check-no-secrets: keyfcm or similar hardcoded key found. Ensure this FCM key is different from any Google Maps key and loaded from env/config, not source."
|
|
FOUND=1
|
|
fi
|
|
|
|
if [ "$FOUND" -eq 1 ]; then
|
|
echo "check-no-secrets: FAIL (potential secrets found). Remove from source, use env/config, and keep Google Maps and FCM keys distinct."
|
|
exit 1
|
|
fi
|
|
|
|
echo "check-no-secrets: OK (no common secret patterns found)"
|
|
exit 0
|