Do not print private token to stdout

[pvorb]

I am using codecov-bash (commit 5ca7b8c) on GitLab CI. I use the -t parameter to provide the private token of my project on codecov.io. Unfortunately, this private token gets printed to stdout and thus is visible in the build log. Build logs are public on GitLab (I'm not sure what's the case for other build servers).

$ bash <(curl -s https://codecov.io/bash) -p $CI_PROJECT_DIR/target/site/jacoco/jacoco.xml -t $codecov_upload_token

...

==> Reading reports
  + ./target/site/jacoco/jacoco.xml bytes=2691
(query) package=bash-5ca7b8c&branch=feature/codecov&commit=5d994fbbf1dd6554a46a447758783d4f9820a49f&build=640242&build_url=&slug=pvorblab-ci-java-gradle-codecov.git&service=gitlab&pr=&job=&token=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

...

I think this behavior should be avoided. When I first configured CI and code coverage I didn't notice that my private token got published.

My current workaround pipes all output of codecov-bash into sed, which filters the token from the output and then prints what's left.

[stevepeak]

Hey @pvorb I do agree hiding the token would be the best practice. We will be working to remove this shortly.

The token is only used to upload reports and cannot expose any sensitive information. There is no security issues/vulnerabilities with exposed tokens in this manner. But we will hide them in upcoming versions.

Thank you!

[pvorb]

Yes, I'm aware that the information is not super sensitive, but even project pages on codecov.io state:

Please keep tokens private.

So tokens shouldn't be published accidentally through codecov's own tools.

Thanks for your effort.

[jayvdb]

@pvorb @stevepeak it looks like this was solved.
I dont see the token in the output now, but I have only checked on project.

[stevepeak]

Correct, this has been resolved in the bash uploader. Thank you for pointing the ticket out.