Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exposed Google OAuth Key #1

Open
AhiVT opened this issue Nov 3, 2019 · 2 comments
Open

Exposed Google OAuth Key #1

AhiVT opened this issue Nov 3, 2019 · 2 comments

Comments

@AhiVT
Copy link

AhiVT commented Nov 3, 2019

Potential security breach. See /posidrive/init.py
@arthuriantech
Copy link
Member

Thanks for issue. Here's what the Google documentation has to say about this case:
The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
Do you have specific proposals about it?

@AhiVT
Copy link
Author

AhiVT commented Nov 3, 2019
edited
Loading

@arthuriantech Ensure that the OAuth token in question was created for Installed Application. If it is, you can safely disregard this issue.

If this token is used outside of a user installed application (server API with large access scopes) you should immediately revoke the token and refrain from committing future tokens to GitHub. I recommend setting environment variables and git ignored .env files for this.

I was unable to report this as a security vulnerability since the repository has not set up a Security Policy. I highly recommend setting that up for this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AhiVT @arthuriantech