search

ApplETS / Notre-Dame

The 4th generation of ÉTSMobile, the main gateway between the École de technologie supérieure and its students on mobile devices
Apache License 2.0
39 stars 11 forks source link

Remove Github API Token from application #1098

Open XavierPaquet-Rapold opened 2 days ago

XavierPaquet-Rapold commented 2 days ago

Describe the bug The application uses a github API Token from ClubAppletServer account, which is the admin account for the organization. The token can be found in the compiled project. The token is used to send issues in the github project directly from the application.

Expected behavior The token should not be exposed. The considered options are :

  1. Remove the "Request a feature" and "report a bug" feature
  2. Send an email to App|ÉTS with the content
  3. Create an API to send the issue.

Additional context The chosen solution is to remove the feature, because it's not used a lot and most times it is used, the issue is closed shortly after without fixing.

XavierPaquet-Rapold commented 2 days ago

I disabled the used token, so the feature is now unusable even in the production app. The security vulnerability is fixed temporarily