From 8bff4ac08666db0dce9288f8028ef1df1672d4aa Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Sun, 24 May 2026 20:09:31 +0300 Subject: [PATCH] =?UTF-8?q?chore(security):=20.gitignore=20+=20.gitleaks.t?= =?UTF-8?q?oml=20=D0=B7=D0=B0=D1=89=D0=B8=D1=82=D0=B0=20=D0=BE=D1=82=20CMS?= =?UTF-8?q?-export=20leak?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Превентивная защита от случайной публикации content/logs, content/data, ghost.*.json (см. инцидент moovg_ru 2026-05-24). Co-Authored-By: Claude Opus 4.7 --- .gitignore | 13 +++++++++++-- .gitleaks.toml | 9 +++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2309cc8..8bf1c85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,13 @@ +# Security: НЕ коммитить production logs и CMS data exports +# (могут содержать API keys, JWT, private_key). См. инцидент 2026-05-24. +content/logs/ +content/data/ +*.production.log +*.production.log.* +ghost.json +ghost.*.json +*.ghost.*.json + # ---> Node # Logs logs @@ -134,5 +144,4 @@ dist .yarn/unplugged .yarn/build-state.yml .yarn/install-state.gz -.pnp.* - +.pnp.* \ No newline at end of file diff --git a/.gitleaks.toml b/.gitleaks.toml index fa99dcc..6bbde1c 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -29,6 +29,15 @@ paths = [ '''.*\.min\.(js|css)$''', '''dist/.*''', '''build/.*''', + + # Защита на случай возврата CMS exports / production logs в репо + # (см. инцидент 2026-05-24 с Ghost ghost_private_key + members_private_key). + # Сами файлы УЖЕ удалены из history через git filter-repo, allowlist — + # дополнительная защита для будущих commit'ов. + '''content/logs/.*''', + '''content/data/.*''', + '''.*\.production\.log(\.[0-9]+)?$''', + '''.*\.ghost\..*\.json$''', ] # Конкретные паттерны, которые false-positive