-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't expose API Keys on stdout #4
Comments
I think with the current implementation logging isn't the only concern. The app accepts the keys via CLI flags. This is enough to leak the keys as they will be seen in A better approach would be to read the keys from a secrets file. |
True. Looking at the manifest file, I already see that Just out of interest, what of benefits do secret files give us? Cheers! |
Process's environment variables can be observed from the outside either by looking at Reading the secrets from a secrets file allows restricting the access to the file with OS level permissions. |
As commented in #6 this isn't 100% fixed yet. I'll address it later. |
Hi,
I just saw the following line and it made me concern about security:
github-weather/main.go
Line 64 in 86166c0
Is it really a good idea to expose these values, a simple message that one of the needed keys wasn't provided or better mention the specific missing key would be IMHO a nice approach to the user.
What was the reason to expose this values?
Cheers!
The text was updated successfully, but these errors were encountered: