Merge pull request #10 from ScotDex/codex/remove-embedded-secrets-from-scripts

ScotDex · web-flow · commit f1531cd5372e · 2025-07-08T23:05:07.000+01:00
Sanitize credentials
diff --git a/API/api-auth-script.ps1 b/API/api-auth-script.ps1
@@ -1,8 +1,8 @@
 # Description: This script is used to make a GET request to an API endpoint with basic authentication.
 # Usage: powershell -File api-script.ps1
 
-$username="admin"
-$password="password"
+$username = $env:API_USERNAME
+$password = $env:API_PASSWORD
 $credentials = "{$username}:{$password}"
 $credentialBytes = [System.Text.Encoding]::ASCII.GetBytes($credentials)
 $base64AuthInfo = [Convert]::ToBase64String($credentialBytes)
diff --git a/API/api-script.ps1 b/API/api-script.ps1
@@ -1,8 +1,8 @@
 # Description: This script is used to make a GET request to an API endpoint with basic authentication.
 # Usage: powershell -File api-script.ps1
 
-$username="admin"
-$password="password"
+$username = $env:API_USERNAME
+$password = $env:API_PASSWORD
 $credentials = "{$username}:{$password}"
 $credentialBytes = [System.Text.Encoding]::ASCII.GetBytes($credentials)
 $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($credentialBytes))
@@ -15,5 +15,4 @@ $headers = @{
     Authorization=$basicAuthHeader
     "Content-Type"="application/json"
 }
-
-Invoke-RestMethod -Uri "$urlbase/" -Headers $headers -Method Get
+Invoke-RestMethod -Uri "$urlbase/" -Headers $headers -Method Get
diff --git a/Development/eve-auth-api-test.ps1 b/Development/eve-auth-api-test.ps1
@@ -11,8 +11,8 @@
 
 # The code below is used to authenticate with the EVE Online API using OAuth2
 # The code is based on the example provided in the EVE Online documentation: https://esi.evetech.net/ui/?version=latest#/Character/get_characters_character_id
-$clientID="539efdfedabe4ca19575d01b6ae5ba8e"
-$clientSecret="xBMQMOOZVxfQI8RQPSjKEKXvqsdJKybv8UceDZjY"
+$clientID=$env:EVE_CLIENT_ID
+$clientSecret=$env:EVE_CLIENT_SECRET
 # $credentials = "{$username}:{$password}"
 # $credentialBytes = [System.Text.Encoding]::ASCII.GetBytes($credentials)
 # $base64AuthInfo = [Convert]::ToBase64String(($credentialBytes))
@@ -27,7 +27,7 @@ $assetsUrl = "https://esi.evetech.net/latest/characters/95282689/assets/"
 $encodedAssets = [System.Web.HttpUtility]::UrlEncode($assetsUrl)
 Write-Host "Please visit this URL to authenticate: $authUrl"
 
-$authorizationCode = "ZaazFJl76kSX_87Z0GQJ1A"
+$authorizationCode = $env:EVE_AUTH_CODE
 
 $body = @{
     grant_type    = "authorization_code"
@@ -52,5 +52,4 @@ $uri = "https://esi.evetech.net/latest/characters/95282689/"
 $characterInfo = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
 $characterInfo
 
-$assetResponse = Invoke-RestMethod -Uri "$encodedAssets" -Headers $headers -Method Get
-$assetResponse
+$assetResponse = Invoke-RestMethod -Uri "$encodedAssets" -Headers $headers -Method Get$assetResponse
diff --git a/Eve-Online/eve-auth-module.ps1 b/Eve-Online/eve-auth-module.ps1
@@ -1,7 +1,7 @@
 [CmdletBinding()]
 param(
-    [string]$ClientID = "539efdfedabe4ca19575d01b6ae5ba8e",
-    [string]$ClientSecret = "xBMQMOOZVxfQI8RQPSjKEKXvqsdJKybv8UceDZjY",
+    [string]$ClientID = $env:EVE_CLIENT_ID,
+    [string]$ClientSecret = $env:EVE_CLIENT_SECRET,
     [string]$RedirectUri = "???", # Wondereing what to use for an end point because localhost:port is not an option - perhaps cloud run?
     [string]$Scopes = "publicData esi-assets.read_assets.v1"
 )
diff --git a/Pen-Test/payload.ps1 b/Pen-Test/payload.ps1
@@ -29,8 +29,8 @@ Start-Process ".\response.html"
 
 $uri = "https://halo.tsg.com/status"
 $body = @{
-    email = "test@example.com"
-    password = "SuperSecret123"
+    email = $env:TEST_EMAIL
+    password = $env:TEST_PASSWORD
 } | ConvertTo-Json
 
 $response = Invoke-RestMethod -Uri $uri -Method Post -Body $body -ContentType 'application/json' -ErrorAction Stop
diff --git a/README.md b/README.md
@@ -0,0 +1,24 @@
+# The Script Lab
+
+This repository contains various PowerShell scripts for API testing, tooling and development experiments.
+
+## Providing Credentials
+
+Some scripts require credentials. To avoid hard coding sensitive values, these scripts read their credentials from environment variables:
+
+- `API_USERNAME` and `API_PASSWORD` for scripts in the `API` folder.
+- `EVE_CLIENT_ID` and `EVE_CLIENT_SECRET` for EVE Online authentication scripts.
+- `EVE_AUTH_CODE` for `Development/eve-auth-api-test.ps1`.
+- `TEST_EMAIL` and `TEST_PASSWORD` for `Pen-Test/payload.ps1`.
+- `ELASTIC_USERNAME` and `ELASTIC_PASSWORD` for `Tooling/elastic-rule-report.ps1`.
+
+Before running a script, export the required variables in your shell:
+
+```powershell
+$env:API_USERNAME = 'myuser'
+$env:API_PASSWORD = 'mypassword'
+# set other variables as needed
+```
+
+Use your preferred secrets management solution to supply these values securely.
+
diff --git a/Tooling/elastic-rule-report.ps1 b/Tooling/elastic-rule-report.ps1
@@ -8,8 +8,8 @@
 $ODS = Read-Host -Prompt "Please enter your ODS to search (ensure in CAPS e.g. 'RCU')"
 
 $outputFile = "$env:USERPROFILE\Desktop\Generated-Rule-Report1.csv"
-$Username = "synanetics-system"
-$Password = "Kc1cmCxYDG^bP@cMDP5u"
+$Username = $env:ELASTIC_USERNAME
+$Password = $env:ELASTIC_PASSWORD
 $credentials = "$($Username):$($Password)"
 $credentialBytes = [System.Text.Encoding]::ASCII.GetBytes($credentials)
 $EncodedCredentials = [System.Convert]::ToBase64String($credentialBytes)
