Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users can impersonate Shipit on github using the GITHUB_TOKEN env var #904

DazWorrall opened this issue May 8, 2019 · 0 comments


None yet
1 participant
Copy link

commented May 8, 2019

GITHUB_TOKEN is provided in the environment to authenticate git clones. However as it remains in the environment after the initial clone, users can consume this token in their own scripts to impersonate Shipit on Github through the API. This is not ideal because:

  • The token is only designed to be valid at the start of a task to facilitate git cloning (can potentially only be valid for 10 minutes) - if people are relying on it later on in a longer task, it will break unexpectedly from their point of view
  • The unexpected use of the token by users creates an unreliable 'feature' from their perspective
  • Shipit is already a highly privileged entity - lots of access to Github and lots of credentials for production - allowing custom code to impersonate Shipit makes reasoning about its access even harder. We want to be limiting Shipit's access where possible, letting people hit the API on their own means we're likely to break something without realising it

I consider this a bug and would like to fix it. Some options:

  • Can we limit the access of the token itself to only repo read(/write?)?
  • Can we only set the variable for git commands?
  • Obfuscation: move the token into a file or expose it via an endpoint
  • Consider unsetting the variable after the git clone has finished. One big issue with that I see is it would break any user supplied git commands at the start of a task - e.g. fetching tags/submodules.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.