-
-
Notifications
You must be signed in to change notification settings - Fork 497
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security tokens might be exposed in cassettes #704
Comments
There is no way for VCR to know what data in a request is secret or not. |
Please use the filter sensitive data feature for this |
@krainboltgreene I have the same concern/issue like @zerogvt (and probably many other people, based on the simple search for "secret" https://github.com/vcr/vcr/issues?utf8=%E2%9C%93&q=secret). I agree with you. It's impossible for VCR to know all the secrets and tokens. However, I think it would be really helpful if there would be a mention of this in the README. Yes, I see the link posted by @mcfiredrill. I've been using VCR for several years now and this is the first time I see that link. It's there, but not the easiest to find, yet I think it's important enough that it should be more visible. |
I've created a PR if you think this is worth merging: #783 |
Security tokens (secrets) get also written down in cassettes. I noticed this in an enterprise environment (using octokit to interact with company's gh). My token was written down unencrypted and it just takes a simple grep for
token
into the cassettes to reveal it.The token is generally not needed to replay cassettes so it could either be removed at the end of the http dialogue or not get written down in the first place.
The text was updated successfully, but these errors were encountered: