From c0368cc42287e557e5b0503e07e31ae9eace7c09 Mon Sep 17 00:00:00 2001 From: Paul D'Ambra Date: Wed, 9 Oct 2024 18:25:44 +0100 Subject: [PATCH] fix: encryption salt key is not any random string (#25483) --- bin/deploy-hobby | 2 +- bin/upgrade-hobby | 20 ++++++++++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-) mode change 100644 => 100755 bin/upgrade-hobby diff --git a/bin/deploy-hobby b/bin/deploy-hobby index 712f3cf17bd90..71f510f3fa7fa 100755 --- a/bin/deploy-hobby +++ b/bin/deploy-hobby @@ -12,7 +12,7 @@ export SENTRY_DSN="${SENTRY_DSN:-'https://public@sentry.example.com/1'}" POSTHOG_SECRET=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56) export POSTHOG_SECRET -ENCRYPTION_SALT_KEYS=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56) +ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64 | tr +/ -_ | tr -d =) export ENCRYPTION_SALT_KEYS # Talk to the user diff --git a/bin/upgrade-hobby b/bin/upgrade-hobby old mode 100644 new mode 100755 index 241c10b9e1d5b..effc3f6192d3a --- a/bin/upgrade-hobby +++ b/bin/upgrade-hobby @@ -56,12 +56,24 @@ else fi [[ -f ".env" ]] && export $(cat .env | xargs) || ( echo "No .env file found. Please create it with POSTHOG_SECRET and DOMAIN set." && exit 1) + # we introduced ENCRYPTION_SALT_KEYS and so if there isn't one, need to add it # check for it in the .env file -if ! grep -q "ENCRYPTION_SALT_KEYS" .env -then - ENCRYPTION_SALT_KEYS=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56) - echo "ENCRYPTION_SALT_KEYS=$ENCRYPTION_SALT_KEYS" >> .env +if ! grep -q "ENCRYPTION_SALT_KEYS" .env; then + ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64 | tr +/ -_ | tr -d =) + echo "ENCRYPTION_SALT_KEYS=$ENCRYPTION_KEY" >> .env + echo "Added missing ENCRYPTION_SALT_KEYS to .env file" +else + # Read the existing key + EXISTING_KEY=$(grep "ENCRYPTION_SALT_KEYS" .env | cut -d '=' -f2) + + # Check if the existing key is in the correct format (32 bytes base64url) + if [[ ! $EXISTING_KEY =~ ^[A-Za-z0-9_-]{43}$ ]]; then + echo "ENCRYPTION_SALT_KEYS is not in the correct fernet format and will not work" + echo "🛑 Stop this script and do not proceed" + echo "remove ENCRYPTION_SALT_KEYS from .env and try again" + exit 1 + fi fi