在创建 .env 和 .ignore 文件之前被推送到 GitHub 的节点键仍然可以访问吗?
Can node keys that were pushed to GitHub before .env and .ignore files were created still be accessible?
在我创建 .env 和 .gitignore 文件之前,我的 app.js 文件中有一个密钥 00000,它基本上是裸文本(我忘了它的俚语) ):
var admin = require("firebase-admin");
admin.initializeApp({
credential: admin.credential.cert({
privateKey: 00000 // this key is naked
})
});
我提交并将 app.js 文件推送到 GitHub git push origin master(首次提交)
稍后我创建了一个 .env 文件来创建一个常量来隐藏我的裸密钥:
PRIVATE_KEY=00000
在我的 app.js 文件中,我用 .env 文件中的常量替换了裸键:
const dotenv = require('dotenv');
dotenv.load();
var admin = require("firebase-admin");
admin.initializeApp({
credential: admin.credential.cert({
privateKey: process.env.PRIVATE_KEY // the key is now safely hidden once added to the .gitignore file
})
});
我创建了一个 .gitignore 文件,向其中添加了 .env 文件,提交并将所有内容推送到 Github(第二次提交)
我现在的问题是我的密钥是隐藏的,没有人可以访问它,但是当我推送所有内容并且密钥是裸露的时候第一次提交怎么办,不知何故 accessible/unsafe?
@fardjad 在评论中给我发了一个 link:github sensitive data
它说:
Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.
This article tells you how to make commits with sensitive data unreachable from any branches or tags in your GitHub repository. However, it's important to note that those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on GitHub, and through any pull requests that reference them. You can't do anything about existing clones or forks of your repository, but you can permanently remove all of your repository's cached views and pull requests on GitHub by contacting GitHub Support.
答案是肯定的第一次提交裸文本是accessible/unsafe。
在我创建 .env 和 .gitignore 文件之前,我的 app.js 文件中有一个密钥 00000,它基本上是裸文本(我忘了它的俚语) ):
var admin = require("firebase-admin");
admin.initializeApp({
credential: admin.credential.cert({
privateKey: 00000 // this key is naked
})
});
我提交并将 app.js 文件推送到 GitHub git push origin master(首次提交)
稍后我创建了一个 .env 文件来创建一个常量来隐藏我的裸密钥:
PRIVATE_KEY=00000
在我的 app.js 文件中,我用 .env 文件中的常量替换了裸键:
const dotenv = require('dotenv');
dotenv.load();
var admin = require("firebase-admin");
admin.initializeApp({
credential: admin.credential.cert({
privateKey: process.env.PRIVATE_KEY // the key is now safely hidden once added to the .gitignore file
})
});
我创建了一个 .gitignore 文件,向其中添加了 .env 文件,提交并将所有内容推送到 Github(第二次提交)
我现在的问题是我的密钥是隐藏的,没有人可以访问它,但是当我推送所有内容并且密钥是裸露的时候第一次提交怎么办,不知何故 accessible/unsafe?
@fardjad 在评论中给我发了一个 link:github sensitive data
它说:
Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one. This article tells you how to make commits with sensitive data unreachable from any branches or tags in your GitHub repository. However, it's important to note that those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on GitHub, and through any pull requests that reference them. You can't do anything about existing clones or forks of your repository, but you can permanently remove all of your repository's cached views and pull requests on GitHub by contacting GitHub Support.
答案是肯定的第一次提交裸文本是accessible/unsafe。