infisical icon indicating copy to clipboard operation
infisical copied to clipboard
verified publisher icon Infisical

Personal Overrides Not Moved with Shared Secrets

Open rahulmishra117 opened this issue 3 months ago • 1 comments

Overview

This document outlines a data integrity issue identified in the moveSecrets function located in:

File: backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
Function: moveSecrets (lines 2476–2845)

The function currently moves only shared secrets, leaving behind personal overrides, which creates orphaned records and causes data inconsistency across folders.

Description

The moveSecrets function is responsible for transferring secrets from one folder to another. However, it only processes shared secrets, ignoring personal overrides (user-specific secret overrides).

As a result, when a shared secret is moved to a new folder, any associated personal override remains in the source folder, referencing a shared secret that no longer exists. This leads to orphaned records and inconsistent secret counts.

Issue Explanation

Personal overrides linked to shared secrets are left behind in the source folder when a move operation occurs.
These orphaned overrides reference keys that no longer exist, resulting in inaccurate data representation.

Impact Analysis

  • Data Integrity: Orphaned personal overrides remain in the source folder without valid references.
  • Inaccurate Secret Counts: Reporting and analytics become unreliable due to leftover overrides.
  • User Confusion: Users may see inconsistent data between folders after a move.
  • Access Problems: Personal overrides remain accessible in incorrect environments.
  • Database Pollution: Orphaned records accumulate over time, leading to larger cleanup requirements.

Root Cause

The implementation of moveSecrets is restricted to shared secrets and does not consider the presence of personal overrides that belong to the same key.

When shared secrets are moved:

  • Related personal overrides remain in the source folder.
  • The system does not move, delete, or warn about these overrides.

This lack of handling leads to inconsistent data states and corrupted relationships between shared and personal secrets.

Expected Behavior

When shared secrets are moved:

  1. Any associated personal overrides should also be moved to the destination folder.
  2. If moving them is not feasible, they should be deleted from the source folder.
  3. Alternatively, the operation should be blocked until personal overrides are addressed.

rahulmishra117 avatar Oct 07 '25 17:10 rahulmishra117

Quick question before I start working on this—could you point me to where personal overrides are stored or managed in the codebase? I didn’t see a direct reference in secret-v2-bridge-service.ts, so I want to make sure I’m handling them correctly when syncing with shared secrets.

Happy to take this on once I understand the data flow!

abhayiscoding avatar Oct 08 '25 05:10 abhayiscoding