Secrets should not be hardcoded into app.ini by env-to-ini

[lonix1]

Description

Related to #25034, and opening report here as per discussion with @wxiaoguang.

I want to load the four secrets into gitea, using files, because I don't want to hardcode them into app.ini (which goes into source control).

So I have these files:

$ ls:

.env
docker-compose.yml
INTERNAL_TOKEN
JWT_SECRET
LFS_JWT_SECRET
SECRET_KEY

And docker-compose.yml has this (I use /run/secrets/ even though they are not real secrets, because that path is the convention):

# ...
environment:
  GITEA__server__LFS_JWT_SECRET__FILE: /run/secrets/LFS_JWT_SECRET
  GITEA__security__INTERNAL_TOKEN__FILE: /run/secrets/INTERNAL_TOKEN
  GITEA__security__SECRET_KEY__FILE: /run/secrets/SECRET_KEY
  GITEA__oauth2__JWT_SECRET__FILE: /run/secrets/JWT_SECRET
volumes:
  - ./INTERNAL_TOKEN:/run/secrets/INTERNAL_TOKEN:ro
  - ./JWT_SECRET:/run/secrets/JWT_SECRET:ro
  - ./LFS_JWT_SECRET:/run/secrets/LFS_JWT_SECRET:ro
  - ./SECRET_KEY:/run/secrets/SECRET_KEY:ro

And each file contains a secret:

• ./INTERNAL_TOKEN created using $ gitea generate secret INTERNAL_TOKEN
• ./JWT_SECRET created using $ gitea generate secret JWT_SECRET
• ./LFS_JWT_SECRET created using $ dd if=/dev/urandom bs=1 count=32 status=none | base64 | tr '/+' '_-' | tr -d '='
• ./SECRET_KEY created using $ gitea generate secret SECRET_KEY

I start it, and check the logs, where I see this:

2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for security.INTERNAL_TOKEN saved to: "/data/gitea/conf/app.ini"                                    
2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for server.LFS_JWT_SECRET saved to: "/data/gitea/conf/app.ini"                                      

Notice it only mentions security.INTERNAL_TOKEN and server.LFS_JWT_SECRET. It does not mention the other two.

Also, it writes this to app.ini:

[server]
LFS_JWT_SECRET__FILE = /run/secrets/LFS_JWT_SECRET
LFS_JWT_SECRET       = ...secretsecretsecretsecretsecretsecretsecretsecret...

[security]
INTERNAL_TOKEN__FILE = /run/secrets/INTERNAL_TOKEN
INTERNAL_TOKEN       = ...secretsecretsecretsecretsecretsecretsecretsecret...
SECRET_KEY__FILE     = /run/secrets/SECRET_KEY

[oauth2]
JWT_SECRET__FILE     = /run/secrets/JWT_SECRET

Notice LFS_JWT_SECRET and INTERNAL_TOKEN are hardcoded into the file. That is not good, as it's what we are trying to avoid. The app.ini file exists on the host and is now leaking secrets to those who can read it. Also it's interesting that it does that for two files only, but not the other two.

I realise the env-to-ini feature is doing exactly it's job. But maybe there needs to be "exclusions" for those four secrets? Those should not be written to the config file, but used by gitea directly. Is that possible?

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

See log lines above

Screenshots

No response

Git Version

I'm using gitea in docker. Host has git 2.39.2

Operating System

debian 12

How are you running Gitea?

docker compose, see above

Database

SQLite

[wxiaoguang]

See the milestone.

[lonix1]

Ok! I used this approach because you told me about it 😄 I didn't know it was not live yet.

When it goes live, do you think the use case above will be handled?

[wxiaoguang]

You can try 1.20-nightly or 1.20.0-rc0 https://hub.docker.com/r/gitea/gitea/tags

[lonix1]

@wxiaoguang I tried it with 1.20.0-rc0.

Now it writes this to app.ini:

[server]
LFS_JWT_SECRET = ...secretsecretsecretsecretsecretsecretsecretsecret...

[security]
INTERNAL_TOKEN = ...secretsecretsecretsecretsecretsecretsecretsecret...
SECRET_KEY     = ...secretsecretsecretsecretsecretsecretsecretsecret...

[oauth2]
JWT_SECRET     = ...secretsecretsecretsecretsecretsecretsecretsecret...

So the problem remains.

The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file.

Is that possible - how would gitea get those secrets if they are not in the app.ini?

(By the way, this new env-to-ini feature - ignoring the problem with secrets - works very nicely, and is very useful. I'm going to use it heavily. Thanks so much for working on it!)

[wxiaoguang]

The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file.

Is that possible?

That's not the design from original PR : Add support for file-based environment variables in environment-to-ini #19857

Gitea doesn't support the feature of loading any secret directly from file at the moment.

[lonix1]

Ok.

However, that means the other issue still has no solution. I'm sorry I wasted time on this, but at least we know this option can be taken off the list. We need a different option.

[wxiaoguang]

I think we can close this one, keep the discussion in #25034 . Reading a value from file for Gitea process is not env-to-ini's job.