Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GITHUB_SECRET stored in unsafe place in .env at Get Set for our Back End Development Projects challenge #8854

Closed
myprtfl opened this issue May 30, 2016 · 4 comments
Closed

GITHUB_SECRET stored in unsafe place in .env at Get Set for our Back End Development Projects challenge #8854

myprtfl opened this issue May 30, 2016 · 4 comments
Labels
other: decayed Stale issues that need follow up from commentators. Were closed for inactivity

Comments

@myprtfl
Copy link

myprtfl commented May 30, 2016
edited

Challenge Name

https://www.freecodecamp.com/challenges/get-set-for-our-back-end-development-projects

Issue Description

GITHUB_SECRET stored in .env file at cloud9 workspace.
The workspace is set to public as shown in step 2 / 14.
Any one with a cloud9 account can have access to the GITHUB_SECRET.
This against Github document https://developer.github.com/guides/basics-of-authentication/
"The Client Secret should not be shared!"

Screenshot

Demonstrate access as a guest to the .env file at workspace shown in the challenge https://ide.c9.io/happycoder42/test.

env
@raisedadead
Copy link
Member

Cloud Nine allows one private repo per developer. I recommend you make your repo private and only the application URI public so that anyone can still see the demo, whilst securing the repo codebase.

We could do a wiki on that.

@raisedadead raisedadead added the status: discussing Under discussion threads. Closed as stale after 60 days of inactivity. label May 30, 2016
@myprtfl
Copy link
Author

myprtfl commented Jun 2, 2016

Without known the risk, learners may put other sensitive date like database connection url with password in this location.
This may bring other risks.
For example lost of other accounts the learner owns if they have the same password.
A chance to introduce some information security basics.

@raisedadead
Copy link
Member

@myprtfl yup I complete understand and agree what you mean, and just to assure you we have something planned on that as well, refer #6669

@raisedadead raisedadead mentioned this issue Jun 2, 2016
Open
@raisedadead raisedadead added other: decayed Stale issues that need follow up from commentators. Were closed for inactivity and removed status: discussing Under discussion threads. Closed as stale after 60 days of inactivity. labels Dec 12, 2016
@raisedadead
Copy link
Member

Closing as decayed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
other: decayed Stale issues that need follow up from commentators. Were closed for inactivity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raisedadead @myprtfl