-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Emit a warning when database URL is pasted directly into the schema #17640
Comments
|
/attempt #17640 Options |
💡 @kunal00000 submitted a pull request that claims the bounty. You can visit your org dashboard to reward. |
Hi @kunal00000 👋 Thank you for opening the PR 🙌 As we reviewed your PR, we have noticed that the warning we had intended to show up when you run We really appreciate the time and effort you've put into this though, and would still like to recognize that with rewarding you the bounty, as you were our first bounty-hunter! 🌟 |
🎉🎈 @kunal00000 has been awarded $50! 🎈🎊 |
This was implemented as part of #20731, which was shipped with release 5.2.0. |
Hi @petradonka, thank you for your kindness 🙏. Would you like to get this done in other commands too (as I saw that it was not present in the |
No, we intentionally only want a warning in We might tighten that later, but for now we are waiting for feedback on this level of deterrant of putting a plain connection string. |
Problem
It should generally be considered a bad practice to paste a private database URL into the schema directly. If the user commits that schema by accident somewhere, or deploys it somewhere, they will be exposed to a security risk.
Suggested solution
I suggest that we emit a warning on
prisma generate
(maybe others too?) when we detect any URL that isn't pointing tolocalhost
or127.0.0.1
is pasted in the schema. This way, we can raise awareness around security and suggest users to either use.env
or environment variables.The text was updated successfully, but these errors were encountered: