DEV Community

Cover image for I tried to find MongoDB connection strings over 1000 public GitHub repositories

I tried to find MongoDB connection strings over 1000 public GitHub repositories

Kayode on February 05, 2022

I tried to see if I could get other people Mongo Database connection string by just searching for it on GitHub search. Yes, I found a few. I tried...
Collapse
 
agarwalvaibhav0211 profile image
Vaibhav Agarwal

While this is an excellent example of something wrong that happens with every developer, I have found that sometimes I need to rewrite the git history. I have found an excellent answer to this here: stackoverflow.com/questions/437623...

Collapse
 
akuoko_konadu profile image
Konadu Akwasi Akuoko

You're a savior 😘
Thanks man, I guess I need to do the same 🤣🤣

Collapse
 
techhead404 profile image
Dillon Greek

I have spend the past week pondering this after the near fatal mistake. Glad I'm not the only one who has forgotten gitignore or wondered about searching git. I worry more about keys and secrets since I work alot with algo trading bot. This could wipe out a trading bot.

Collapse
 
zt4ff_1 profile image
Kayode

exactly 😊

Collapse
 
ochsec profile image
Chris Ochsenreither

I was using Mongodb for personal projects, using .env to store the Mongodb url. Now I started a job where they use SAM, and one of the nice things is that the template doesn't have any endpoints, secrets etc. so they're never in your code base (nothing to .gitignore).

Collapse
 
neoprint3d profile image
Drew Ronsman

Is it bad to have a private repository with all the API keys shown in that repository?

Collapse
 
rolfstreefkerk profile image
Rolf Streefkerk

it is bad practice, it should be stored in secured (encrypted) storage that can be retrieved in the operating environment

Collapse
 
zt4ff_1 profile image
Kayode

A private repository cannot be queried via the GitHub Search API.

But then, it is more secured to not include your secrets in the repository.

Collapse
 
neoprint3d profile image
Drew Ronsman

Yeah so no one will be able to look atfve repository

Collapse
 
iamluisj profile image
Luis Juarez

I've definitely done this (accidentally) and only realized it when my API key got a rate limit response. Great reminder.

Collapse
 
zt4ff_1 profile image
Kayode • Edited

Wow!
Hope the API rates are not billed :)

Collapse
 
rehman000 profile image
Rehman Arshad

This is a good public awareness campaign 👏

Collapse
 
mykezero profile image
Mykezero

Great article, definitely a reminder not to store the credentials along with the application and to use a process that keeps them safe from exposure. The loader was a nice touch!

Collapse
 
zt4ff_1 profile image
Kayode

Thanks,

Imagine downloading without a loader of any progress indication 😊

Collapse
 
rehman000 profile image
Rehman Arshad

This happened a fair amount of times to me to the point that whenever I start on any project where I plan on using any API keys I instinctively add .env to the .gitignore file immediately before anything else.

And I recall my professor telling me about actual bots sifting through github looking for api keys accidentally commited in git histories to exploit.

Collapse
 
madeeh_syed profile image
Info Comment hidden by post author - thread only accessible via permalink
AlexHale

If you want to save a large amount of your money from tello then click the link and get a large variety of quality coupons from tello. So, click the link and save your money.
mysavinghub.com/store/tello-coupons

Some comments have been hidden by the post's author - find out more