github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-29 04:59:26 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
bc06965ec3
project-nomad/admin/start
History
Sebastion bc06965ec3
fix(security): move hardcoded HMAC secret to environment variable 
The benchmark submission HMAC signing secret was hardcoded in source
code (CWE-798), allowing anyone reading the open-source repository to
extract it and forge benchmark submissions to benchmark.projectnomad.us.

- Read BENCHMARK_HMAC_SECRET from env instead of embedding it in code
- Register the variable in the AdonisJS env schema (optional)
- Add a guard in submitToRepository() that rejects submissions when
  the secret is not configured
- Document the new variable in .env.example

The benchmark server operator must now inject the real secret via the
BENCHMARK_HMAC_SECRET environment variable (e.g. in docker-compose or
a .env file).  The previously committed secret should be rotated
server-side.
2026-03-25 08:00:43 +00:00
..
env.ts fix(security): move hardcoded HMAC secret to environment variable 2026-03-25 08:00:43 +00:00
kernel.ts feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
routes.ts fix(downloads): allow users to dismiss failed downloads 2026-03-20 11:46:10 -07:00