Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fatal error compromises the token #7

Open
MoOx opened this issue Apr 28, 2015 · 9 comments
Open

fatal error compromises the token #7

MoOx opened this issue Apr 28, 2015 · 9 comments
Assignees
@X1011
Labels
bug

Comments

@MoOx
Copy link
Contributor

MoOx commented Apr 28, 2015

see it by yourself https://travis-ci.org/putaindecode/putaindecode.fr#L8587

Any idea how to catch this to avoid the token to be compromised ?
@MoOx MoOx mentioned this issue Apr 28, 2015
Closed
@X1011
Copy link
Owner

X1011 commented Apr 28, 2015

@MoOx, which build number should i be looking at?

@MoOx
Copy link
Contributor Author

MoOx commented Apr 28, 2015

Oh shit, travis didn't update the link. Let me take a look so I can find the build

@MoOx
Copy link
Contributor Author

MoOx commented Apr 28, 2015

Well to reproduce, juste use an incorrect repo url like repo=https://$GH_TOKEN@github.com/WRONG/PROJECT.git.
When the git failure come, you will get a failure message with the repo url exposed :(

@X1011 X1011 added the bug label May 6, 2015
@X1011 X1011 self-assigned this May 6, 2015
@MoOx
Copy link
Contributor Author

MoOx commented May 13, 2015

So here is an output

> putaindecode.fr@0.0.0 _deploy /home/travis/build/putaindecode/putaindecode.fr
> GH_OWNER=putaindecode GH_PROJECT_NAME=putaindecode.fr ./scripts/deploy-to-gh-pages.sh -v

+set +o verbose
+git diff --exit-code --quiet --cached
++git log -n 1 --format=%s HEAD
+commit_title='Break things on purpose'
++git log -n 1 --format=%H HEAD
+commit_hash=b51086c4b059e57e49432bcca6b22b523ced2292
++git rev-parse --abbrev-ref HEAD
+previous_branch=HEAD
+'[' ']'
+'[' '!' -d dist ']'
++ls -A dist
+[[ -z 404.html
authors
c-est-quoi-putaindecode
CNAME
favicon.ico
feed.xml
humans.txt
icons
images
index.b51086c.js
index.css
index.html
posts
projets
tests.html
tests.js ]]
+disable_expanded_output
+'[' true ']'
+set +o xtrace
git fetch --force $repo $deploy_branch:$deploy_branch
remote: Invalid username or password.
fatal: Authentication failed for 'https://01aeb894368c34fe923b46607e80ed1cec85982d@github.com/putaindecode/putaindecode.fr.shit.git/'

(don't worry this token is dead)
In this example the remote url is wrong because I added a mistake in the repo. But if we can do something to prevent this, it would be great !

@X1011
Copy link
Owner

X1011 commented May 13, 2015

Cool, thanks for the example. I actually have been able to reproduce the issue already, and I'm working on a solution to filter the output of the commands that use $repo. I just haven't had the time to finish it. I'll let you know.

@MoOx MoOx mentioned this issue May 13, 2015
Closed
@MoOx
Copy link
Contributor Author

MoOx commented May 13, 2015

Awesome !
Take your time :)

@X1011 X1011 mentioned this issue Jun 25, 2015
Open
9 tasks
@X1011 X1011 changed the title fatal error comprise the token fatal error compromises the token Oct 13, 2015
@dead-claudia
Copy link

@X1011 Any ETA on this?

@dead-claudia dead-claudia mentioned this issue Feb 14, 2017
Closed
@X1011
Copy link
Owner

X1011 commented Feb 27, 2017

@isiahmeadows unfortunately, no; i have an idea for a solution, and i started implementing it, but i haven't had time to finish it.

charleskorn added a commit to batect/batect that referenced this issue Mar 25, 2018
@charleskorn
Use Travis to publish docs.
69eb67e 
The script we were using has a fairly sigificant security issue
(X1011/git-directory-deploy#7) that could
expose the access token used to push the documentation.
@MasterOdin MasterOdin mentioned this issue Oct 3, 2019
Closed
@jagged3dge
Copy link

@X1011 Could you, maybe, outline your idea here so that contributors could pick this up?

Or, in case you think it isn't an exhaustive solution, consumers could apply it on their own forks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@X1011 X1011

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MoOx @X1011 @jagged3dge @dead-claudia