d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(scripts): require DB_PASSWORD env var in setup-database.sh #13

Merged
nsatoshi merged 1 commits from devin/1776542488-fix-setup-database-hardcoded-password into master 2026-04-18 20:02:49 +00:00
Conversation 0 Commits 1 Files Changed 1 +9 -3
nsatoshi commented 2026-04-18 20:02:18 +00:00
Owner
Copy Link

Summary

PR #3 scrubbed L@ker$2010 from every env file, compose unit, and deployment doc but missed scripts/setup-database.sh, which still hardcoded DB_PASSWORD="L@ker\$2010" on line 17. That slipped past gitleaks because the shell-escaped form (\$) doesn't literally match the L@kers?\$?2010 regex committed in .gitleaks.toml — the regex was written to catch the expanded form, not the source form.

This PR removes the hardcoded default and requires DB_PASSWORD to be exported by the operator before running the script. Same fail-fast pattern as the rest of the PR #3 conversion.

Changes

scripts/setup-database.sh:

-DB_USER="explorer"
-DB_PASSWORD="L@ker\$2010"
-DB_NAME="explorer"
+DB_USER="${DB_USER:-explorer}"
+DB_NAME="${DB_NAME:-explorer}"
+if [ -z "${DB_PASSWORD:-}" ]; then
+    echo "ERROR: DB_PASSWORD environment variable must be set before running this script." >&2
+    echo "Generate a strong value (e.g. openssl rand -base64 32) and export it:" >&2
+    echo "  export DB_PASSWORD='<strong random password>'" >&2
+    echo "  sudo -E bash scripts/setup-database.sh" >&2
+    exit 1
fi

Verification

  • git grep -nE 'L@kers?\\?\$?2010' -- scripts/ → no matches.
  • bash -n scripts/setup-database.sh → clean.

Follow-up

After this merges, a history rewrite (git filter-repo --replace-text) will purge the string from all prior commits, then force-push rewritten refs. Separate from this PR.

Note on the gitleaks rule

The regex in .gitleaks.toml will be tightened in the history-rewrite PR to also catch the escaped form (L@kers?\\?\$?2010) so this class of oversight can't recur.

## Summary [PR #3](https://gitea.d-bis.org/d-bis/explorer-monorepo/pulls/3) scrubbed `L@ker$2010` from every env file, compose unit, and deployment doc but **missed `scripts/setup-database.sh`**, which still hardcoded `DB_PASSWORD="L@ker\$2010"` on line 17. That slipped past gitleaks because the shell-escaped form (`\$`) doesn't literally match the `L@kers?\$?2010` regex committed in `.gitleaks.toml` — the regex was written to catch the *expanded* form, not the source form. This PR removes the hardcoded default and requires `DB_PASSWORD` to be exported by the operator before running the script. Same fail-fast pattern as the rest of the PR #3 conversion. ## Changes `scripts/setup-database.sh`: ```diff -DB_USER="explorer" -DB_PASSWORD="L@ker\$2010" -DB_NAME="explorer" +DB_USER="${DB_USER:-explorer}" +DB_NAME="${DB_NAME:-explorer}" +if [ -z "${DB_PASSWORD:-}" ]; then + echo "ERROR: DB_PASSWORD environment variable must be set before running this script." >&2 + echo "Generate a strong value (e.g. openssl rand -base64 32) and export it:" >&2 + echo " export DB_PASSWORD='<strong random password>'" >&2 + echo " sudo -E bash scripts/setup-database.sh" >&2 + exit 1 fi ``` ## Verification - `git grep -nE 'L@kers?\\?\$?2010' -- scripts/` → no matches. - `bash -n scripts/setup-database.sh` → clean. ## Follow-up After this merges, a history rewrite (`git filter-repo --replace-text`) will purge the string from all prior commits, then force-push rewritten refs. Separate from this PR. ## Note on the gitleaks rule The regex in `.gitleaks.toml` will be tightened in the history-rewrite PR to also catch the escaped form (`L@kers?\\?\$?2010`) so this class of oversight can't recur.
nsatoshi added 1 commit 2026-04-18 20:02:19 +00:00
fix(scripts): require DB_PASSWORD env var in setup-database.sh
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 53s
Details
CI / Backend security scanners (pull_request) Failing after 46s
Details
CI / Frontend (node 20) (pull_request) Successful in 2m8s
Details
CI / gitleaks (secret scan) (pull_request) Failing after 8s
Details
e2e-full / e2e-full (pull_request) Has been skipped
Details
cf1b98738e 
PR #3 scrubbed L@ker$2010 from every env file, compose unit, and
deployment doc but missed scripts/setup-database.sh, which still hard-
coded DB_PASSWORD="L@ker\$2010" on line 17. That slipped past
gitleaks because the shell-escaped form (backslash-dollar) does not
match the L@kers?\$?2010 regex committed in .gitleaks.toml -- the
regex was written to catch the *expanded* form, not the source form.

This commit removes the hardcoded default and requires DB_PASSWORD to
be exported by the operator before running the script. Same pattern as
the rest of the PR #3 conversion (fail-fast at boot when a required
secret is unset) so there is no longer any legitimate reason for the
password string to live in the repo.

Verification:
  git grep -nE 'L@kers?\\?\$?2010' -- scripts/    # no matches
  bash -n scripts/setup-database.sh                   # clean
nsatoshi merged commit baf05294c6 into master 2026-04-18 20:02:49 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
70rn4710n A.r.yavari SEG nsatoshi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: d-bis/explorer-monorepo#13
Delete Branch "devin/1776542488-fix-setup-database-hardcoded-password"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?