DAW/furt

Fork 0

Security: Sanitize test scripts for Open Source packages #101

New issue

Closed

opened 2025-09-03 12:54:39 +02:00 by michael · 1 comment

michael commented

2025-09-03 12:54:39 +02:00

Owner

Security Issue: Test-Scripts enthalten interne DAW-Infrastruktur-Details

Problem: Test-Scripts in furt-Packages enthalten interne DAW-Infrastruktur-Details die nicht für End-User bestimmt sind.

Gefundene interne Details:

Mail-Server:

mail.dragons-at-work.de → sollte mail.example.com sein
michael@dragons-at-work.de → sollte admin@example.com sein
noreply@dragons-at-work.de → sollte noreply@example.com sein

API-Endpoints:

api.dragons-at-work.de → sollte api.example.com sein
smida.dragons-at-work.de → sollte git.example.com sein

Test-API-Keys mit internen Patterns:

hugo-dev-key-change-in-production → sollte YOUR_API_KEY_HERE sein
admin-dev-key-change-in-production → sollte YOUR_ADMIN_KEY_HERE sein

Betroffene Dateien (aus Security-Audit):

Kritisch:

scripts/setup_env.sh - SMTP-Config mit dragons-at-work.de
scripts/production_test_sequence.sh - Production-API-Tests
scripts/test_smtp.sh - Mail-Server-Tests
scripts/manual_mail_test.sh - Manual-Tests

Medium:

scripts/test_auth.sh - API-Key-Tests
scripts/test_modular.sh - API-Tests
scripts/stress_test.sh - Load-Tests

Lösungsansatz:

File-by-File Sanitization (nicht Exclusion - Tests sind wertvoll für Entwickler):

Domain-Sanitization:

dragons-at-work.de → example.com
smida.dragons-at-work.de → git.example.com

E-Mail-Sanitization:

michael@dragons-at-work.de → admin@example.com
your_email@dragons-at-work.de → your_email@example.com

API-Key-Sanitization:

hugo-dev-key-change-in-production → YOUR_API_KEY_HERE
admin-dev-key-change-in-production → YOUR_ADMIN_KEY_HERE

Why Tests bleiben sollten:

Debugging-Hilfe bei Installationsproblemen
Example-Code für eigene Anpassungen
Test-Guidance für Entwickler bei Änderungen
Quality-Assurance - Entwickler sollen Tests laufen lassen

Implementation Tasks:

scripts/setup_env.sh sanitizen - Mail-Config
scripts/production_test_sequence.sh sanitizen - API-Tests
scripts/test_smtp.sh sanitizen - SMTP-Tests
scripts/manual_mail_test.sh sanitizen - Manual-Tests
scripts/test_auth.sh sanitizen - Auth-Tests
scripts/test_modular.sh sanitizen - Modular-Tests
scripts/stress_test.sh sanitizen - Load-Tests
Alle Scripts testen nach Sanitization
Package-Build testen mit sanitierten Scripts

Success Criteria:

Keine interne DAW-Infrastruktur in Open Source Packages
Test-Scripts funktionieren mit example.com-Domains
Entwickler haben vollständige Test-Suite
Clear guidance für eigene Environment-Setup

Priority: Medium (nach Package-Distribution-Setup)
Effort: Small-Medium (7 Dateien sanitizen + testen)
Type: security, packaging

## Security Issue: Test-Scripts enthalten interne DAW-Infrastruktur-Details **Problem:** Test-Scripts in furt-Packages enthalten interne DAW-Infrastruktur-Details die nicht für End-User bestimmt sind. ### Gefundene interne Details: **Mail-Server:** - `mail.dragons-at-work.de` → sollte `mail.example.com` sein - `michael@dragons-at-work.de` → sollte `admin@example.com` sein - `noreply@dragons-at-work.de` → sollte `noreply@example.com` sein **API-Endpoints:** - `api.dragons-at-work.de` → sollte `api.example.com` sein - `smida.dragons-at-work.de` → sollte `git.example.com` sein **Test-API-Keys mit internen Patterns:** - `hugo-dev-key-change-in-production` → sollte `YOUR_API_KEY_HERE` sein - `admin-dev-key-change-in-production` → sollte `YOUR_ADMIN_KEY_HERE` sein ### Betroffene Dateien (aus Security-Audit): **Kritisch:** - `scripts/setup_env.sh` - SMTP-Config mit dragons-at-work.de - `scripts/production_test_sequence.sh` - Production-API-Tests - `scripts/test_smtp.sh` - Mail-Server-Tests - `scripts/manual_mail_test.sh` - Manual-Tests **Medium:** - `scripts/test_auth.sh` - API-Key-Tests - `scripts/test_modular.sh` - API-Tests - `scripts/stress_test.sh` - Load-Tests ### Lösungsansatz: **File-by-File Sanitization** (nicht Exclusion - Tests sind wertvoll für Entwickler): 1. **Domain-Sanitization:** ```bash dragons-at-work.de → example.com smida.dragons-at-work.de → git.example.com ``` 2. **E-Mail-Sanitization:** ```bash michael@dragons-at-work.de → admin@example.com your_email@dragons-at-work.de → your_email@example.com ``` 3. **API-Key-Sanitization:** ```bash hugo-dev-key-change-in-production → YOUR_API_KEY_HERE admin-dev-key-change-in-production → YOUR_ADMIN_KEY_HERE ``` ### Why Tests bleiben sollten: - **Debugging-Hilfe** bei Installationsproblemen - **Example-Code** für eigene Anpassungen - **Test-Guidance** für Entwickler bei Änderungen - **Quality-Assurance** - Entwickler sollen Tests laufen lassen ### Implementation Tasks: - [ ] `scripts/setup_env.sh` sanitizen - Mail-Config - [ ] `scripts/production_test_sequence.sh` sanitizen - API-Tests - [ ] `scripts/test_smtp.sh` sanitizen - SMTP-Tests - [ ] `scripts/manual_mail_test.sh` sanitizen - Manual-Tests - [ ] `scripts/test_auth.sh` sanitizen - Auth-Tests - [ ] `scripts/test_modular.sh` sanitizen - Modular-Tests - [ ] `scripts/stress_test.sh` sanitizen - Load-Tests - [ ] Alle Scripts testen nach Sanitization - [ ] Package-Build testen mit sanitierten Scripts ### Success Criteria: - Keine interne DAW-Infrastruktur in Open Source Packages - Test-Scripts funktionieren mit example.com-Domains - Entwickler haben vollständige Test-Suite - Clear guidance für eigene Environment-Setup **Priority:** Medium (nach Package-Distribution-Setup) **Effort:** Small-Medium (7 Dateien sanitizen + testen) **Type:** security, packaging

michael added the

labels 2025-09-03 12:54:39 +02:00

michael added this to the v0.1.2 - Gateway Basics milestone 2025-09-03 20:30:16 +02:00

michael referenced this issue from a commit

2025-09-07 21:28:32 +02:00

security: sanitize internal infrastructure details from open source package

michael

2025-09-07 21:30:19 +02:00

closed this issue
added the
status
done
label

michael commented

2025-09-07 21:33:36 +02:00

Author

Owner

Security Sanitization Complete

Status: All internal DAW infrastructure details successfully removed from open source package.

Files Removed:

setup_env.sh (obsolete .env setup)
production_test_sequence.sh (DAW-specific production tests)

Files Sanitized:

scripts/manual_mail_test.sh - E-mails to example.com
scripts/test_auth.sh - API keys to placeholder values
scripts/test_modular.sh - API keys sanitized
scripts/stress_test.sh - API keys sanitized
scripts/test_smtp.sh - Dragons-at-work.de domains to example.com
src/http_server.lua - Removed hardcoded DAW CORS domains
src/smtp.lua - Removed DAW SMTP fallbacks, config now required
.gitignore - Added production-specific exclusions

Testing: All test scripts remain functional with example domains.

Security Impact: Zero internal infrastructure exposure in open source packages.

Branch: security/sanitize-test-scripts merged to main and cleaned up.

Package ready for distribution without security concerns.

## Security Sanitization Complete **Status:** All internal DAW infrastructure details successfully removed from open source package. **Files Removed:** - setup_env.sh (obsolete .env setup) - production_test_sequence.sh (DAW-specific production tests) **Files Sanitized:** - scripts/manual_mail_test.sh - E-mails to example.com - scripts/test_auth.sh - API keys to placeholder values - scripts/test_modular.sh - API keys sanitized - scripts/stress_test.sh - API keys sanitized - scripts/test_smtp.sh - Dragons-at-work.de domains to example.com - src/http_server.lua - Removed hardcoded DAW CORS domains - src/smtp.lua - Removed DAW SMTP fallbacks, config now required - .gitignore - Added production-specific exclusions **Testing:** All test scripts remain functional with example domains. **Security Impact:** Zero internal infrastructure exposure in open source packages. **Branch:** security/sanitize-test-scripts merged to main and cleaned up. Package ready for distribution without security concerns.