ExaWorks / SDK

ExaWorks SDK
11 stars 12 forks source link

The test upload key should not be hardcoded #137

Closed hategan closed 1 year ago

hategan commented 2 years ago

The tests have a mechanism of ensuring that tests for a site cannot be easily hijacked. A secure random key is generated the first time tests are uploaded for a site. All subsequent result uploads must use the same key. The SDK uses a simplified version of what's in PSI/J. However, it's perhaps too much simplification, since they key is simply hardcoded (and visible to anybody who looks at the code -- or anybody who's looking for the answer to... well... everything).

That should probably change.

mturilli commented 1 year ago

@hategan is this current?

mtitov commented 1 year ago

That was fixed - https://github.com/ExaWorks/SDK/blob/master/.gitlab/README.md - corresponding env variable SDK_DASHBOARD_TOKEN is set within GitLab CI/CD settings, and not revealed even in logs