-
-
Notifications
You must be signed in to change notification settings - Fork 32.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[core] Use Netlify function for feedback management #36472
[core] Use Netlify function for feedback management #36472
Conversation
Netlify deploy previewhttps://deploy-preview-36472--material-ui.netlify.app/ Bundle size report |
Regarding the security, there are the current public env tokens, are these safe to be public?
|
They are defined in netlify, I don't believe we're leaking these anywhere where a user of the docs can access them. These ones are not safe to be public. |
We need to include all the env variables with https://app.netlify.com/sites/material-ui/settings/env so the contributors from the community can run the build: https://docs.netlify.com/environment-variables/get-started/#sensitive-variable-policy So they are accessible to anyone who opens a PR to log them. |
Ah yes, I see now, that's a problem indeed, great catch. They seem to suggest we can exclude certain variables from untrusted builds but it's not 100% clear to me yet how to do that exactly. We should definitely do that if we can for the According to the docs it seems we need to enable "Deploy without sensitive variables" then. But how do you mark variables as public/private then? Just erase the value for "Deploy Previews" context? |
About what can be done with those tokens
A solution is to restrict those tokens to production. And if needed for tests, we can still add them for the specific branch. Such as to log them, attackers should have their log in production |
Ok, then I think that we are good |
To be able to delete a message, we need to be the author. So to let the bot delete messages it has to write them himself
So instead of using webhook, this PR uses a call to the serverless function that send the message to slack using the API
Then it's feasible to delete messages. To do so I support to action: