Open anishkny opened 6 years ago
Just noticed this. It's a very serious security issue. GitHub tokens have a wide permission scope. Ideally this project should use deploy tokens instead since they are restricted to pushing to the specific repo.
Until this is addressed I will have to redirect all output to /dev/null
I looked into this more. Seems like deploy keys are supported but undocumented:
let remote = `git@github.com:${info.repoSlug}`
if (info.gitUrl) remote = info.gitUrl
if (env.GH_TOKEN) {
if (remote.slice(0, 5) !== 'https') remote = `https://github.com/${info.repoSlug}`
const urlParsed = url.parse(remote)
urlParsed.auth = env.GH_TOKEN
remote = url.format(urlParsed)
}
I've updated my CI configs to use deploy keys.
I think deploy keys should be recommended over tokens, and if using tokens the output should be redirected to hide it.
Any update on this?
@Realtin this is a fairly significant security issue, any chance someone can take a look at this? (And ideally document that Deploy Keys are also supported?)
Sorry for the late reply here. Since this was undocumented behaviour, we didn’t catch this in time. I’ve pushed a branch that should address this. Would you fine folks here be able to to give it a spin & review?
Thanks a lot!
Is this still an open issue?
I am not sure if this is intended
See "Upload greenkeeper-lockfile" step in anishkny/realworld-e2e-test/39