fix: encryption salt key is not any random string (#25483)

PostHog · Oct 9, 2024 · c0368cc · c0368cc
1 parent f7dce38
commit c0368cc
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/bin/deploy-hobby b/bin/deploy-hobby
@@ -12,7 +12,7 @@ export SENTRY_DSN="${SENTRY_DSN:-'https://[email protected]/1'}"
 POSTHOG_SECRET=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56)
 export POSTHOG_SECRET
 
-ENCRYPTION_SALT_KEYS=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56)
+ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64 | tr +/ -_ | tr -d =)
 export ENCRYPTION_SALT_KEYS
 
 # Talk to the user

diff --git a/bin/upgrade-hobby b/bin/upgrade-hobby
@@ -56,12 +56,24 @@ else
 fi
 
 [[ -f ".env" ]] && export $(cat .env | xargs) || ( echo "No .env file found. Please create it with POSTHOG_SECRET and DOMAIN set." && exit 1)
+
 # we introduced ENCRYPTION_SALT_KEYS and so if there isn't one, need to add it
 # check for it in the .env file
-if ! grep -q "ENCRYPTION_SALT_KEYS" .env
-then
-    ENCRYPTION_SALT_KEYS=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56)
-    echo "ENCRYPTION_SALT_KEYS=$ENCRYPTION_SALT_KEYS" >> .env
+if ! grep -q "ENCRYPTION_SALT_KEYS" .env; then
+    ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64 | tr +/ -_ | tr -d =)
+    echo "ENCRYPTION_SALT_KEYS=$ENCRYPTION_KEY" >> .env
+    echo "Added missing ENCRYPTION_SALT_KEYS to .env file"
+else
+    # Read the existing key
+    EXISTING_KEY=$(grep "ENCRYPTION_SALT_KEYS" .env | cut -d '=' -f2)
+
+    # Check if the existing key is in the correct format (32 bytes base64url)
+    if [[ ! $EXISTING_KEY =~ ^[A-Za-z0-9_-]{43}$ ]]; then
+        echo "ENCRYPTION_SALT_KEYS is not in the correct fernet format and will not work"
+        echo "🛑 Stop this script and do not proceed"
+        echo "remove ENCRYPTION_SALT_KEYS from .env and try again"
+        exit 1
+    fi
 fi