From 713ebb9cbb38ed1188153f8b7cf7d434b9cfd748 Mon Sep 17 00:00:00 2001 From: mleem97 <52848568+mleem97@users.noreply.github.com> Date: Thu, 21 May 2026 13:10:30 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Remove=20hardcoded=20telemetry?= =?UTF-8?q?=20credentials?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎯 What: Removed hardcoded Loki telemetry credentials from TelemetrySecrets.cs. ⚠️ Risk: Hardcoded credentials in source control could allow unauthorized actors to push arbitrary data to the telemetry ingestion endpoint, potentially causing denial of service or log poisoning. 🛡️ Solution: Replaced hardcoded credentials with placeholder strings (__LOKI_USER__, __LOKI_PASS__, __LOKI_TENANT__). The existing codebase logic checks for these placeholders to safely disable authenticated telemetry locally, while the CI/CD pipeline correctly replaces these placeholders with real secrets during build time. --- .../Services/TelemetrySecrets.cs | 41 ++----------------- 1 file changed, 3 insertions(+), 38 deletions(-) diff --git a/src/GregModmanager.Core/Services/TelemetrySecrets.cs b/src/GregModmanager.Core/Services/TelemetrySecrets.cs index 67e8789..c52379e 100644 --- a/src/GregModmanager.Core/Services/TelemetrySecrets.cs +++ b/src/GregModmanager.Core/Services/TelemetrySecrets.cs @@ -5,42 +5,7 @@ internal static class TelemetrySecrets // Diese Werte werden während des CI/CD-Builds durch echte Daten ersetzt. // Lokal werden sie einfach als Platzhalter belassen (Telemetrie ist dann inaktiv). public const string LokiUrl = "http://telemetry.datacentermods.com/loki/api/v1/push"; - public const string LokiUser = "managerclient"; - public const string LokiPass = "99Feuerwehrauto!"; - public const string LokiTenant = "managerclient"; + public const string LokiUser = "__LOKI_USER__"; + public const string LokiPass = "__LOKI_PASS__"; + public const string LokiTenant = "__LOKI_TENANT__"; } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -