Security concern about merge-development-with-master.sh (T6661) #3727

Closed
babel-bot opened this Issue Nov 19, 2015 · 1 comment

Comments

Projects
None yet
1 participant
@babel-bot
Collaborator

babel-bot commented Nov 19, 2015

Issue originally made by @azu

Description

git push "https://${GH_TOKEN}@github.com/babel/babel"

git push "https://${GH_TOKEN}@github.com/babel/babel"

has a security concern.

if git push fails, leak ${GH_TOKEN} to Console of Travis CI.

e.g.) Authorization Error

git push https://token_xxxx@github.com/user/repo.git

Password for 'https://token_xxxx@github.com':
remote: Invalid username or password.fatal: Authentication failed for 'https://token_xxxx@github.com/user/repo.git/'

e.g.) Network Error

git push https://token_xxxx@github.com/user/repo.git

fatal: unable to access 'https://token_xxxx@github.com/user/repo.git/': Could not resolve host: github.com

I recommened that add --quite flag to git push and > /dev/null 2>&1.

should be

git push --quiet "https://${GH_TOKEN}@github.com/babel/babel" > /dev/null 2>&1

Further reading

Thanks.

@babel-bot

This comment has been minimized.

Show comment
Hide comment
@babel-bot

babel-bot Nov 19, 2015

Collaborator

Comment originally made by @kittens

Thank you @azu! I've removed the GitHub token and removed those scripts from Travis in rB7ce5c4307ac5ae57318c2631b6c0f15aebeab735 as we don't actually need them anymore.

Collaborator

babel-bot commented Nov 19, 2015

Comment originally made by @kittens

Thank you @azu! I've removed the GitHub token and removed those scripts from Travis in rB7ce5c4307ac5ae57318c2631b6c0f15aebeab735 as we don't actually need them anymore.

@babel-bot babel-bot closed this Nov 19, 2015

@lock lock bot added the outdated label May 9, 2018

@babel babel locked as resolved and limited conversation to collaborators May 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.