search

jirutka / rake-jekyll

Rake tasks for Jekyll as a gem.
MIT License
30 stars 3 forks source link

GH_TOKEN is leaked #8

Closed azu closed 9 years ago

azu commented 9 years ago

@jirutka Hi, I found security issue.

https://github.com/jirutka/rake-jekyll/blob/908a0962afadc8e20ad6f5d8372545c595b99b84/lib/rake-jekyll/git_deploy_task.rb#L55

def push(remote_url, branch)
    sh "git push -q #{remote_url} #{branch}:#{branch}"
end

This code show GH_TOKEN in Travis CI console...

2015-06-08_23-57-52

razor-x commented 9 years ago

This is pretty serious. I recommend switching to the deploy key method (see #6), but for a fix, wrapping this like

verbose false do
  sh(...)
end

should suppress the output.

azu commented 9 years ago

https://github.com/jirutka/rake-jekyll/blob/908a0962afadc8e20ad6f5d8372545c595b99b84/lib/rake-jekyll/git_deploy_task.rb#L19 I notice that git clone has the same problem.( and -q option is necessary?)

jirutka commented 9 years ago

Fixed in v1.0.4.

Sorry for late response, I’ve been quite busy. Thanks @azu for the report and @razor-x for the tip.

azu commented 9 years ago

@jirutka Thanks! :+1: