search

algolia / algoliasearch-netlify

Official Algolia Plugin for Netlify. Index your website to Algolia when deploying your project to Netlify with the Algolia Crawler
https://www.algolia.com/doc/tools/crawler/netlify-plugin/quick-start/
261 stars 10 forks source link

Sensitive values in the logs #39

Open ehmicky opened 3 years ago

ehmicky commented 3 years ago

Does the /api/1/netlify/crawl response include any secure/sensitive values?

The response might be printed by one of the following statements:

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L81

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L91

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L99

Netlify build logs are sometimes public, in which case there would be a risk for those sensitive values to be made public as well. However, if this endpoint does not respond with any sensitive values, then this is not a concern. I am raising this up just to be 100% sure :)

bodinsamuel commented 3 years ago

Netlify build logs are sometimes public

Ah we did not knew that. We don't output anything more than ids, which are protected by ACL. But the response error log could leak a token indeed.

Jerska commented 3 years ago

Worst case scenario, it will leak the API key. While not ideal, all this gives access to is the ability to trigger a crawl, and I don't see many scenarii where this would be abused maliciously.

IanVS commented 1 year ago

This seems fairly important, has it been addressed?