GH_TOKEN is leaked #8

Closed
azu opened this Issue Jun 8, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@azu

azu commented Jun 8, 2015

@jirutka Hi, I found security issue.

sh "git push -q #{remote_url} #{branch}:#{branch}"

def push(remote_url, branch)
    sh "git push -q #{remote_url} #{branch}:#{branch}"
end

This code show GH_TOKEN in Travis CI console...

2015-06-08_23-57-52

@jirutka jirutka added the bug label Jun 8, 2015

@razor-x

This comment has been minimized.

Show comment
Hide comment
@razor-x

razor-x Jun 8, 2015

This is pretty serious. I recommend switching to the deploy key method (see #6), but for a fix, wrapping this like

verbose false do
  sh(...)
end

should suppress the output.

razor-x commented Jun 8, 2015

This is pretty serious. I recommend switching to the deploy key method (see #6), but for a fix, wrapping this like

verbose false do
  sh(...)
end

should suppress the output.

@azu azu referenced this issue in jser/jser.github.io Jun 9, 2015

Closed

Support Multiple Languages #83

4 of 4 tasks complete
@azu

This comment has been minimized.

Show comment
Hide comment
@azu

azu Jun 10, 2015

sh "git clone '#{url}' ."

I notice that git clone has the same problem.( and -q option is necessary?)

azu commented Jun 10, 2015

sh "git clone '#{url}' ."

I notice that git clone has the same problem.( and -q option is necessary?)

@jirutka jirutka closed this in 40993b3 Jun 16, 2015

@jirutka

This comment has been minimized.

Show comment
Hide comment
@jirutka

jirutka Jun 16, 2015

Owner

Fixed in v1.0.4.

Sorry for late response, I’ve been quite busy. Thanks @azu for the report and @razor-x for the tip.

Owner

jirutka commented Jun 16, 2015

Fixed in v1.0.4.

Sorry for late response, I’ve been quite busy. Thanks @azu for the report and @razor-x for the tip.

@azu

This comment has been minimized.

Show comment
Hide comment
@azu

azu Jun 17, 2015

@jirutka Thanks! 👍

azu commented Jun 17, 2015

@jirutka Thanks! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment