Skip to content

[security] : secrets.defaults.properties is tracked in the repository — placeholder API keys committed to a public repo enable accidental credential exposure if a contributor copies the file and commits it with real values #438

Description

@prince-pokharna

Labels: security, priority: high

Summary

secrets.defaults.properties is committed to the repository root. Per the README:

"Copy the defaults file and fill in real values: cp secrets.defaults.properties secrets.properties"

This workflow — copy a committed defaults file, fill in real credentials, use locally — is the most common pattern that leads to accidental secret commits. A contributor who misremembers that secrets.properties (not secrets.defaults.properties) is gitignored, or whose IDE auto-stages files, can easily commit real TMDB API keys, Trakt client secrets, or Supabase anon keys into a fork of this 544-star public repository.

Additionally, the defaults file itself may contain placeholder strings that some contributors copy verbatim into CI environment variables, producing silent failures that are hard to debug.

Proposed solution

  • Replace secrets.defaults.properties with a secrets.defaults.properties.template that contains only key names and inline comments describing where to obtain each credential — no placeholder values that look like real secrets (e.g. TMDB_API_KEY= not TMDB_API_KEY=your_key_here).
  • Add a Gradle check task or a pre-commit hook that validates secrets.properties is not staged for commit — similar to the pattern used by the google-services.json gitignore convention.
  • Add a ## Local Secrets Setup section to the README explicitly warning: "Do not rename secrets.defaults.properties to secrets.properties. Copy it instead. The defaults file is public; secrets.properties is gitignored."
  • Verify .gitignore covers secrets.properties (it does per README), google-services.json, and any generated keystore.properties.

I'd like to be assigned this issue. I'd scope the first PR as the template rename + README warning — fast, immediately protective for every future contributor.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions