mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-28 03:29:25 +01:00
bc06965ec3
The benchmark submission HMAC signing secret was hardcoded in source code (CWE-798), allowing anyone reading the open-source repository to extract it and forge benchmark submissions to benchmark.projectnomad.us. - Read BENCHMARK_HMAC_SECRET from env instead of embedding it in code - Register the variable in the AdonisJS env schema (optional) - Add a guard in submitToRepository() that rejects submissions when the secret is not configured - Document the new variable in .env.example The benchmark server operator must now inject the real secret via the BENCHMARK_HMAC_SECRET environment variable (e.g. in docker-compose or a .env file). The previously committed secret should be rotated server-side.
22 lines
601 B
Plaintext
22 lines
601 B
Plaintext
PORT=8080
|
|
HOST=localhost
|
|
LOG_LEVEL=info
|
|
APP_KEY=some_random_key
|
|
NODE_ENV=development
|
|
SESSION_DRIVER=cookie
|
|
DB_HOST=localhost
|
|
DB_PORT=3306
|
|
DB_USER=root
|
|
DB_DATABASE=nomad
|
|
DB_PASSWORD=password
|
|
DB_SSL=false
|
|
REDIS_HOST=localhost
|
|
REDIS_PORT=6379
|
|
# Storage path for NOMAD content (ZIM files, maps, etc.)
|
|
# On Windows dev, use an absolute path like: C:/nomad-storage
|
|
# On Linux production, use: /opt/project-nomad/storage
|
|
NOMAD_STORAGE_PATH=/opt/project-nomad/storage
|
|
# HMAC secret used to sign benchmark submissions to benchmark.projectnomad.us
|
|
# Generate with: openssl rand -hex 24
|
|
# BENCHMARK_HMAC_SECRET=
|