Sanitize Settings Files

In the case of projects like Drupal, Wordpress, Mediawiki, etc, all of which contain settings files with passwords and sensitive information that should never be committed to source control, you should set up some hooks to scrub these files, if you've included them in copy_source.

The following is an excerpt from mediawiki of an unsanitized settings file.

    <?php
    # This file was automatically generated by the MediaWiki 1.18.2
    # installer. If you make manual changes, please keep track in case you
    # need to recreate them later.
    #
    ...
    ## Database settings
    $wgDBtype           = "mysql";
    $wgDBserver         = "localhost";
    $wgDBname           = "wiki";
    $wgDBuser           = "wiki";
    $wgDBpassword       = "0e6409df6fe6af1c27f83bba3";
    ...
    $wgSecretKey = "d18ed14a95e60e6409df6fe6af1c27f83bba3d5c54773a2aacc0e4e57622f67c";
    ...

After sanitization:

    <?php
    # This file was automatically generated by the MediaWiki 1.18.2
    # installer. If you make manual changes, please keep track in case you
    # need to recreate them later.
    #
    ...
    ## Database settings
    $wgDBtype           = "mysql";
    $wgDBserver         = "localhost";
    $wgDBname           = "wiki";
    $wgDBuser           = "wiki";
    $wgDBpassword       = NULL;
    ...
    $wgSecretKey = NULL;
    ...

Production/Staging Environments

• These should be sanitized on fetch.

• Use fetch_files_post.sh with something like the following:

  file="$5/1~LocalSettings.$6.php"
  hooks_set_vars_to_null $file "wgDBpassword,wgSecretKey" || return 1
  echo_green "└── Sensitive data removed from: ${file##*/}"
  
  return 0
  

The above example code will sanitize LocalSettings.php coming from both prod and staging environments, setting the variables $wgDBpassword and $wgSecretKey to NULL as in the example shown above.

Local Development

• These should be sanitized on reset.

• Use reset_files_post.sh with something like the following:

  file="$4/install/LocalSettings.dev.php"
  hooks_set_vars_to_null $file "wgDBpassword,wgSecretKey" || return 1
  echo_green "└── Sensitive data removed from: ${file##*/}"
  
  return 0      
  

The above example code will sanitize only LocalSettings.php coming from your local dev environment, setting the variables $wgDBpassword and $wgSecretKey to NULL.

Sanitization API

The following functions should be considered for sanitization:

• hooks_empty_array_key
• hooks_empty_drupal_conf
• hooks_set_vars_to_null