Secrets should not be hardcoded into app.ini by env-to-ini #11041

New Issue

GiteaMirror · 2025-11-02T09:25:52-06:00

GiteaMirror commented

2025-11-02 09:25:52 -06:00

Originally created by @lonix1 on GitHub (Jun 17, 2023).

Description

Related to #25034, and opening report here as per discussion with @wxiaoguang.

I want to load the four secrets into gitea, using files, because I don't want to hardcode them into app.ini (which goes into source control).

So I have these files:

$ ls:

.env
docker-compose.yml
INTERNAL_TOKEN
JWT_SECRET
LFS_JWT_SECRET
SECRET_KEY

And docker-compose.yml has this (I use /run/secrets/ even though they are not real secrets, because that path is the convention):

# ...
environment:
  GITEA__server__LFS_JWT_SECRET__FILE: /run/secrets/LFS_JWT_SECRET
  GITEA__security__INTERNAL_TOKEN__FILE: /run/secrets/INTERNAL_TOKEN
  GITEA__security__SECRET_KEY__FILE: /run/secrets/SECRET_KEY
  GITEA__oauth2__JWT_SECRET__FILE: /run/secrets/JWT_SECRET
volumes:
  - ./INTERNAL_TOKEN:/run/secrets/INTERNAL_TOKEN:ro
  - ./JWT_SECRET:/run/secrets/JWT_SECRET:ro
  - ./LFS_JWT_SECRET:/run/secrets/LFS_JWT_SECRET:ro
  - ./SECRET_KEY:/run/secrets/SECRET_KEY:ro

And each file contains a secret:

./INTERNAL_TOKEN created using $ gitea generate secret INTERNAL_TOKEN
./JWT_SECRET created using $ gitea generate secret JWT_SECRET
./LFS_JWT_SECRET created using $ dd if=/dev/urandom bs=1 count=32 status=none | base64 | tr '/+' '_-' | tr -d '='
./SECRET_KEY created using $ gitea generate secret SECRET_KEY

I start it, and check the logs, where I see this:

2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for security.INTERNAL_TOKEN saved to: "/data/gitea/conf/app.ini"                                    
2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for server.LFS_JWT_SECRET saved to: "/data/gitea/conf/app.ini"

Notice it only mentions security.INTERNAL_TOKEN and server.LFS_JWT_SECRET. It does not mention the other two.

Also, it writes this to app.ini:

[server]
LFS_JWT_SECRET__FILE = /run/secrets/LFS_JWT_SECRET
LFS_JWT_SECRET       = ...secretsecretsecretsecretsecretsecretsecretsecret...

[security]
INTERNAL_TOKEN__FILE = /run/secrets/INTERNAL_TOKEN
INTERNAL_TOKEN       = ...secretsecretsecretsecretsecretsecretsecretsecret...
SECRET_KEY__FILE     = /run/secrets/SECRET_KEY

[oauth2]
JWT_SECRET__FILE     = /run/secrets/JWT_SECRET

Notice LFS_JWT_SECRET and INTERNAL_TOKEN are hardcoded into the file. That is not good, as it's what we are trying to avoid. The app.ini file exists on the host and is now leaking secrets to those who can read it. Also it's interesting that it does that for two files only, but not the other two.

I realise the env-to-ini feature is doing exactly it's job. But maybe there needs to be "exclusions" for those four secrets? Those should not be written to the config file, but used by gitea directly. Is that possible?

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

See log lines above

Screenshots

No response

Git Version

I'm using gitea in docker. Host has git 2.39.2

Operating System

debian 12

How are you running Gitea?

docker compose, see above

Database

SQLite

Originally created by @lonix1 on GitHub (Jun 17, 2023). ### Description Related to #25034, and opening report here as per discussion with @wxiaoguang. I want to load the four secrets into gitea, using files, because I don't want to hardcode them into `app.ini` (which goes into source control). So I have these files: `$ ls`: ```` .env docker-compose.yml INTERNAL_TOKEN JWT_SECRET LFS_JWT_SECRET SECRET_KEY ```` And `docker-compose.yml` has this (I use `/run/secrets/` even though they are not real secrets, because that path is the convention): ````yml # ... environment: GITEA__server__LFS_JWT_SECRET__FILE: /run/secrets/LFS_JWT_SECRET GITEA__security__INTERNAL_TOKEN__FILE: /run/secrets/INTERNAL_TOKEN GITEA__security__SECRET_KEY__FILE: /run/secrets/SECRET_KEY GITEA__oauth2__JWT_SECRET__FILE: /run/secrets/JWT_SECRET volumes: - ./INTERNAL_TOKEN:/run/secrets/INTERNAL_TOKEN:ro - ./JWT_SECRET:/run/secrets/JWT_SECRET:ro - ./LFS_JWT_SECRET:/run/secrets/LFS_JWT_SECRET:ro - ./SECRET_KEY:/run/secrets/SECRET_KEY:ro ```` And each file contains a secret: - **`./INTERNAL_TOKEN`** created using `$ gitea generate secret INTERNAL_TOKEN` - **`./JWT_SECRET`** created using `$ gitea generate secret JWT_SECRET` - **`./LFS_JWT_SECRET`** [created using](https://github.com/go-gitea/gitea/issues/22727) `$ dd if=/dev/urandom bs=1 count=32 status=none | base64 | tr '/+' '_-' | tr -d '='` - **`./SECRET_KEY`** created using `$ gitea generate secret SECRET_KEY` I start it, and check the logs, where I see this: ```` 2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for security.INTERNAL_TOKEN saved to: "/data/gitea/conf/app.ini" 2023/06/17 06:41:03 ...s/setting/setting.go:371:CreateOrAppendToCustomConf() [I] Settings for server.LFS_JWT_SECRET saved to: "/data/gitea/conf/app.ini" ```` Notice it only mentions `security.INTERNAL_TOKEN` and `server.LFS_JWT_SECRET`. It does not mention the other two. Also, it writes this to `app.ini`: ````ini [server] LFS_JWT_SECRET__FILE = /run/secrets/LFS_JWT_SECRET LFS_JWT_SECRET = ...secretsecretsecretsecretsecretsecretsecretsecret... [security] INTERNAL_TOKEN__FILE = /run/secrets/INTERNAL_TOKEN INTERNAL_TOKEN = ...secretsecretsecretsecretsecretsecretsecretsecret... SECRET_KEY__FILE = /run/secrets/SECRET_KEY [oauth2] JWT_SECRET__FILE = /run/secrets/JWT_SECRET ```` Notice `LFS_JWT_SECRET` and `INTERNAL_TOKEN` are hardcoded into the file. That is not good, as it's what we are trying to avoid. The `app.ini` file exists on the host and is now leaking secrets to those who can read it. Also it's interesting that it does that for two files only, but not the other two. I realise the env-to-ini feature is doing exactly it's job. But maybe there needs to be "exclusions" for those four secrets? Those should not be written to the config file, but used by gitea directly. Is that possible? ### Gitea Version 1.19.3 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist See log lines above ### Screenshots _No response_ ### Git Version I'm using gitea in docker. Host has git 2.39.2 ### Operating System debian 12 ### How are you running Gitea? docker compose, see above ### Database SQLite

GiteaMirror added the type/bug label 2025-11-02 09:25:52 -06:00

GiteaMirror closed this issue

2025-11-02 09:25:52 -06:00

GiteaMirror commented

2025-11-02 09:25:53 -06:00

@wxiaoguang commented on GitHub (Jun 17, 2023):

See the milestone.

@wxiaoguang commented on GitHub (Jun 17, 2023): See the milestone. ![image](https://github.com/go-gitea/gitea/assets/2114189/444acf83-579b-42b7-afbb-4a34cbda95b8)

GiteaMirror commented

2025-11-02 09:25:53 -06:00

@lonix1 commented on GitHub (Jun 17, 2023):

Ok! I used this approach because you told me about it 😄 I didn't know it was not live yet.

When it goes live, do you think the use case above will be handled?

@lonix1 commented on GitHub (Jun 17, 2023): Ok! I used this approach because you told me about it :smile: I didn't know it was [not live yet](https://github.com/go-gitea/gitea/pull/24832). When it goes live, do you think the use case above will be handled?

GiteaMirror commented

2025-11-02 09:25:53 -06:00

@wxiaoguang commented on GitHub (Jun 17, 2023):

You can try 1.20-nightly or 1.20.0-rc0 https://hub.docker.com/r/gitea/gitea/tags

@wxiaoguang commented on GitHub (Jun 17, 2023): You can try 1.20-nightly or 1.20.0-rc0 https://hub.docker.com/r/gitea/gitea/tags

GiteaMirror commented

2025-11-02 09:25:53 -06:00

@lonix1 commented on GitHub (Jun 17, 2023):

@wxiaoguang I tried it with 1.20.0-rc0.

Now it writes this to app.ini:

[server]
LFS_JWT_SECRET = ...secretsecretsecretsecretsecretsecretsecretsecret...

[security]
INTERNAL_TOKEN = ...secretsecretsecretsecretsecretsecretsecretsecret...
SECRET_KEY     = ...secretsecretsecretsecretsecretsecretsecretsecret...

[oauth2]
JWT_SECRET     = ...secretsecretsecretsecretsecretsecretsecretsecret...

So the problem remains.

The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file.

Is that possible - how would gitea get those secrets if they are not in the app.ini?

(By the way, this new env-to-ini feature - ignoring the problem with secrets - works very nicely, and is very useful. I'm going to use it heavily. Thanks so much for working on it!)

@lonix1 commented on GitHub (Jun 17, 2023): @wxiaoguang I tried it with [1.20.0-rc0](https://hub.docker.com/layers/gitea/gitea/1.20.0-rc0/images/sha256-916b4211290266d50258e15b53b5b2c999d9f278054e06d564966aaee368a62b?context=explore). Now it writes this to `app.ini`: ````ini [server] LFS_JWT_SECRET = ...secretsecretsecretsecretsecretsecretsecretsecret... [security] INTERNAL_TOKEN = ...secretsecretsecretsecretsecretsecretsecretsecret... SECRET_KEY = ...secretsecretsecretsecretsecretsecretsecretsecret... [oauth2] JWT_SECRET = ...secretsecretsecretsecretsecretsecretsecretsecret... ```` So the problem remains. The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file. Is that possible - how would gitea get those secrets if they are not in the `app.ini`? (By the way, this new env-to-ini feature - ignoring the problem with secrets - works very nicely, and is very useful. I'm going to use it heavily. Thanks so much for working on it!)

GiteaMirror commented

2025-11-02 09:25:54 -06:00

@wxiaoguang commented on GitHub (Jun 17, 2023):

The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file.

Is that possible?

That's not the design from original PR : Add support for file-based environment variables in environment-to-ini #19857

Gitea doesn't support the feature of loading any secret directly from file at the moment.

@wxiaoguang commented on GitHub (Jun 17, 2023): > The "env-to-ini" feature should treat those four secrets as "special cases", and not write them to the config file. > > Is that possible? That's not the design from original PR : Add support for file-based environment variables in environment-to-ini #19857 Gitea doesn't support the feature of loading any secret directly from file at the moment.

GiteaMirror commented

2025-11-02 09:25:54 -06:00

@lonix1 commented on GitHub (Jun 17, 2023):

Ok.

However, that means the other issue still has no solution. I'm sorry I wasted time on this, but at least we know this option can be taken off the list. We need a different option.

@lonix1 commented on GitHub (Jun 17, 2023): Ok. However, that means the [other issue](https://github.com/go-gitea/gitea/issues/25034) still has no solution. I'm sorry I wasted time on this, but at least we know this option can be taken off the list. We need a different option.

GiteaMirror commented

2025-11-02 09:25:54 -06:00

@wxiaoguang commented on GitHub (Jun 17, 2023):

I think we can close this one, keep the discussion in #25034 . Reading a value from file for Gitea process is not env-to-ini's job.

@wxiaoguang commented on GitHub (Jun 17, 2023): I think we can close this one, keep the discussion in #25034 . Reading a value from file for Gitea process is not `env-to-ini`'s job.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11041