CODEWITHSUNDEEP
androidgitgithubgradle
ovalb
ovalb

Reputation: 605

How to remove sensitive data (API_KEY) across git commit history?

I finished an android project that requires me to use an api_key. I've added the api key in my build.gradle file like this:

     buildTypes.each {
         it.buildConfigField "String", "MDB_API_KEY", "\"243248324293938243\"" 
     }

(that's a random number btw)

Now that I finished the project I need to upload it to Github, for code review. Before doing so, I was asked to remove the api key, and I did

buildTypes.each {
     it.buildConfigField "String", "MDB_API_KEY", *putYaOwnApiKeyBrothar*
         }

and committed.

But if I push everything to Github, they could access any older commit, and retrieve my api_key.

I've seen similar questions, and the solution seems to be git filter-branch, but it seems that it removes a specific file across the commit history. I want to remove just the key (or that line, for that matter), since I want the *putYaOwnApiKeyBrothar* code available in all my commits. (In case they have to check an older one).

Is that even possible? Is there a simple way? If not, what should I do? Am I being dumb?

Upvotes: 15

Views: 14829

Answers (4)

Vampire
Vampire

Reputation: 38669

git filter-branch is the way to go. It has various filters and you can remove files from the history, but you can also modify the files as you like. In your case you want to use the --tree-filter option with a command that replaces the String in your file. Something like git filter-branch --tree-filter "sed -i 's/243248324293938243/putYaOwnApiKeyBrothar/' your/file/here" --tag-name-filter cat --all

(if you are on macOS (or any *BSD) add '' after sed -i)

Upvotes: 16

Smile
Smile

Reputation: 4088

In case you have following scenario:

  1. Commit history is not complex for eg. you added sensitive data in a commit and pushed to a feature branch and someone caught the sensitive content during code review.

AND

  1. Your commit doesn't contains lot of changes (ideally it shouldn't)

Then you can

  1. Take backup of changed files
  2. Delete the commit (Refer How to permanently remove few commits from remote branch for ideas)
  3. Copy paste your commit's changes from backup except for sensitive content
  4. git push --force

I followed this approach because filter-branch showed me warning and asked me to use git-filter-repo. And the blog which I followed to use git-filter-repo warned me about damage this script can cause if not used properly.

Upvotes: 0

rassoh
rassoh

Reputation: 654

Git warned me about filter-branch and recommended to use git-filter-repo instead. I installed it and followed the instructions found here. It took me 5 minutes to get the hang of it and felt very simple and intuitive.

Maybe the biggest thing to note is that git-filter-repo doesn't accept inline search-replace statements. You will have to create your own file that should contain the replacements you want to be made (documentation).

Upvotes: 3

Enock Lubowa
Enock Lubowa

Reputation: 717

git filter-branch worked for me:

 git filter-branch --tree-filter "sed -i "" 's/ENTER_API_KEY_TO_REMOVE/STRING_TO_REPLACE_THE_KEY/' filepath"

The file path should include the file name e.g /src/main/Application.java where the key was stored previously. When you try to push these changes to GitHub, they might be rejected, in which case use:

git push --force

Upvotes: 7

Related Questions