censor authorization part of headers before logging ReST API request #3248
+58
−5
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
GitHub tokens were found to be "leaking" into the top-level log file when using
--from-prcombined with--debug, as reported by @zao:That's clearly not desirable, so the changes in this PR censor the
Authorizationpart of the headers before the debug log statement.To clarify the scope of this a bit:
the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
--upload-test-reportin combination with--from-pr, nor in the installation logs that are copied to the software installation directories;the message is only logged when using
--debug, so it will not appear when using the default EasyBuild configuration (onlyinfomessages are logged by default);the log message is triggered via
--from-pr, but also via various other GitHub integration options like--new-pr,--merge-pr,--close-pr, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon asebcompletes successfully;you may have several debug log files that include your GitHub token in
/tmp(or a different location if you've set the--tmpdirEasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);the only way that a log file that may include your token could have been made public is if you shared it yourself, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it (which is what happened to @zao)
We strongly encourage that you revoke the GitHub tokens you are using currently, via https://github.com/settings/tokens, and to replace them using a new token (using
eb --install-github-token --force).(this PR also includes the fixes from #3212 and #3226 which is required to get the full test suite to pass)