zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Scripts across various package encapsulated into a package named "scripts". Added a script to verify no secrets were leaked into the Git .env files (#74)

Browse Source
This commit is contained in:
Giancarlo Buomprisco
2024-10-25 09:43:10 +02:00
committed by GitHub
parent 8d1cdcfa11
commit df944bb1e5
8 changed files with 126 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tooling/scripts/package.json Normal file
View File

@@ -0,0 +1,9 @@
{
"name": "scripts",
"private": true,
"version": "0.1.0",
"scripts": {
"dev": "node ./src/dev.mjs",
"checks": "node ./src/checks.mjs"
}
}

111
tooling/scripts/src/checks.mjs Normal file
View File

@@ -0,0 +1,111 @@
import { readFileSync, readdirSync } from 'fs';
import * as path from 'path';
const whitelist = {
STRIPE_SECRET_KEY: [/sk_test_*/],
STRIPE_WEBHOOK_SECRET: [/whsec_*/],
EMAIL_PASSWORD: ['password'],
SUPABASE_DB_WEBHOOK_SECRET: ['WEBHOOKSECRET'],
SUPABASE_SERVICE_ROLE_KEY: ['eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU'],
};
// List of sensitive environment variables that should not be in .env files
const sensitiveEnvVars = [
'STRIPE_SECRET_KEY',
'STRIPE_WEBHOOK_SECRET',
'LEMON_SQUEEZY_SECRET_KEY',
'LEMON_SQUEEZY_SIGNING_SECRET',
'KEYSTATIC_GITHUB_TOKEN',
'SUPABASE_DB_WEBHOOK_SECRET',
'SUPABASE_SERVICE_ROLE_KEY',
'EMAIL_PASSWORD',
'CAPTCHA_SECRET_TOKEN',
];
// Files to check
const envFiles = ['.env', '.env.development', '.env.production'];
function checkEnvFiles(rootPath) {
let hasSecrets = false;
envFiles.forEach((file) => {
try {
const envPath = path.join(process.cwd(), rootPath, file);
const contents = readFileSync(envPath, 'utf8');
const lines = contents.split('\n');
lines.forEach((line, index) => {
// Skip empty lines and comments
if (!line || line.startsWith('#')) return;
// Check if line contains any sensitive vars
sensitiveEnvVars.forEach((secret) => {
if (line.startsWith(`${secret}=`)) {
// Extract the value
const value = line.split('=')[1].trim().replace(/["']/g, '');
// Skip if value is whitelisted
if (isValueWhitelisted(secret, value)) {
return;
}
console.error(`⚠️ Secret key "${secret}" found in ${file} on line ${index + 1}`);
hasSecrets = true;
}
});
});
} catch (err) {
// File doesn't exist, skip
if (err.code === 'ENOENT') return;
throw err;
}
});
if (hasSecrets) {
console.error('\n❌ Error: Secret keys found in environment files');
console.error(
'\nPlease remove sensitive information from .env files and store them securely:',
);
console.error('- Use environment variables in your CI/CD system');
console.error('- For local development, use .env.local (git ignored)');
process.exit(1);
} else {
const appName = rootPath.split('/').pop();
console.log(`✅ No secret keys found in staged environment files for the app ${appName}`);
}
}
const apps = readdirSync('../../apps');
apps.forEach(app => {
checkEnvFiles(`../../apps/${app}`);
});
function isValueWhitelisted(key, value) {
if (!(key in whitelist)) {
return false;
}
const whiteListedValue = whitelist[key];
if (whiteListedValue instanceof RegExp) {
return whiteListedValue.test(value);
}
if (Array.isArray(whiteListedValue)) {
return whiteListedValue.some(allowed => {
if (allowed instanceof RegExp) {
return allowed.test(value);
}
return allowed.trim() === value.trim();
});
}
return whiteListedValue.trim() === value.trim();
}

4
tooling/scripts/src/dev.mjs Normal file
View File

@@ -0,0 +1,4 @@
import { checkPendingMigrations } from './migrations.mjs';
import './license.mjs';
checkPendingMigrations();

116
tooling/scripts/src/license.mjs Normal file
View File

@@ -0,0 +1,116 @@
import { execSync } from 'child_process';
const endpoint = 'https://makerkit.dev/api/license/check';
async function checkLicense() {
let gitUser, gitEmail;
try {
gitUser =
execSync('git config user.username').toString().trim() ||
execSync('git config user.name').toString().trim();
} catch (error) {
return;
}
if (!gitUser && !gitEmail) {
throw new Error(
"Please set the git user name with the command 'git config user.username <username>'. The username needs to match the GitHub username in your Makerkit organization.",
);
}
try {
gitEmail = execSync('git config user.email').toString().trim();
} catch (error) {
console.info('Error getting git config:', error.message);
if (!gitUser) {
throw new Error(
"Please set the git user name with the command 'git config user.username <username>'. The username needs to match the GitHub username in your Makerkit organization.",
);
}
}
const searchParams = new URLSearchParams();
searchParams.append('username', gitUser);
if (gitEmail) {
searchParams.append('email', gitEmail);
}
const res = await fetch(`${endpoint}?${searchParams.toString()}`);
if (res.status === 200) {
return Promise.resolve();
} else {
return Promise.reject(
new Error(`License check failed. Please set the git user name with the command 'git config user.username <username>'. The username needs to match the GitHub username in your Makerkit organization.`),
);
}
}
function checkVisibility() {
let remoteUrl;
try {
remoteUrl = execSync('git config --get remote.origin.url')
.toString()
.trim();
} catch (error) {
return Promise.resolve();
}
if (!remoteUrl.includes('github.com')) {
return Promise.resolve();
}
let ownerRepo;
if (remoteUrl.startsWith('https://github.com/')) {
ownerRepo = remoteUrl.slice('https://github.com/'.length);
} else if (remoteUrl.startsWith('git@github.com:')) {
ownerRepo = remoteUrl.slice('git@github.com:'.length);
} else {
return;
}
ownerRepo = ownerRepo.replace(/\.git$/, '');
return fetch(`https://api.github.com/repos/${ownerRepo}`)
.then((res) => {
if (res.status === 200) {
return res.json();
} else if (res.status === 404) {
return Promise.resolve();
} else {
return Promise.reject(
new Error(
`GitHub API request failed with status code: ${res.status}`,
),
);
}
})
.then((data) => {
if (data && !data.private) {
console.error(
'The repository has been LEAKED on GitHub. Please delete the repository. A DMCA Takedown Request will automatically be requested in the coming hours.',
);
process.exit(1);
}
});
}
async function main() {
try {
await checkVisibility();
await checkLicense();
} catch (error) {
console.error(`Check failed with error: ${error.message}`);
process.exit(1);
}
}
void main();

30
tooling/scripts/src/migrations.mjs Normal file
View File

@@ -0,0 +1,30 @@
import { execSync } from 'node:child_process';
export function checkPendingMigrations() {
try {
console.info('\x1b[34m%s\x1b[0m', 'Checking for pending migrations...');
const output = execSync('pnpm --filter web supabase migration list', { encoding: 'utf-8', stdio: 'pipe' });
const lines = output.split('\n');
// Skip header lines
const migrationLines = lines.slice(4);
const pendingMigrations = migrationLines
.filter(line => {
const [local, remote] = line.split('│').map(s => s.trim());
return local !== '' && remote === '';
})
.map(line => (line.split('│')[0] ?? '').trim());
if (pendingMigrations.length > 0) {
console.log('\x1b[33m%s\x1b[0m', '⚠️ There are pending migrations that need to be applied:');
pendingMigrations.forEach(migration => console.log(` - ${migration}`));
console.log('\nPlease run "pnpm --filter web supabase db push" to apply these migrations.');
} else {
console.log('\x1b[32m%s\x1b[0m', '✅ All migrations are up to date.');
}
} catch (error) {
console.log('\x1b[33m%s\x1b[0m', '⚠️ Migrations: No remote Supabase project found, we could not check pending migrations. This is normal if you have not yet have linked your Supabase project. Feel free to ignore this message.');
}
}

93
tooling/scripts/src/version.mjs Normal file
View File

@@ -0,0 +1,93 @@
import { execSync } from 'node:child_process';
import { checkPendingMigrations } from './migrations.mjs';
function runGitCommand(command) {
try {
return execSync(command, { encoding: 'utf8', stdio: 'pipe' }).trim();
} catch (error) {
return null;
}
}
function checkMakerkitVersion() {
// Fetch the latest changes from upstream without merging
const fetchResult = runGitCommand('git fetch upstream');
if (fetchResult === null) {
console.info(
'\x1b[33m%s\x1b[0m',
"⚠️ You have not setup 'upstream'. Please set up the upstream remote so you can update your Makerkit version.",
);
return;
}
// Get the number of commits the local branch is behind upstream
const behindCount = runGitCommand('git rev-list --count HEAD..upstream/main');
if (behindCount === null) {
console.warn(
"Failed to get commit count. Ensure you're on a branch that tracks upstream/main.",
);
return;
}
const count = parseInt(behindCount, 10);
const { severity } = getSeveriyLevel(count);
if (severity === 'critical') {
// error emoji: ❌
console.log(
'\x1b[31m%s\x1b[0m',
'❌ Your Makerkit version is outdated. Please update to the latest version.',
);
} else if (severity === 'warning') {
console.log(
'\x1b[33m%s\x1b[0m',
'⚠️ Your Makerkit version is outdated! Best to update to the latest version.',
);
} else {
console.log('\x1b[32m%s\x1b[0m', '✅ Your Makerkit version is up to date!');
}
if (count > 0) {
logInstructions(count);
}
}
function logInstructions(count) {
console.log(
'\x1b[33m%s\x1b[0m',
`You are ${count} commit(s) behind the latest version.`,
);
console.log(
'\x1b[33m%s\x1b[0m',
'Please consider updating to the latest version for bug fixes and optimizations that your version does not have.',
);
console.log('\x1b[36m%s\x1b[0m', 'To update, run: git pull upstream main');
}
function getSeveriyLevel(count) {
if (count > 5) {
return {
severity: 'critical',
};
}
if (count > 0) {
return {
severity: 'warning',
};
}
return {
severity: 'success',
};
}
checkMakerkitVersion();
checkPendingMigrations();