Looks like Ruby SDK is sending api key and secret via querystring, it should be sent via body instead.
We used gzr(https://github.com/looker-open-source/gzr) to import dashboard which is using this sdk underlying, and we are seeing the secret being logged in our firewall logs, and server logs. Basically, anyone who looks at this request (MITM style) can see our auth credentials without having to ssl decrypt the request.
yingbiao
commented
4 years ago
Looks like Ruby SDK is sending api key and secret via querystring, it should be sent via body instead. We used
gzr(https://github.com/looker-open-source/gzr) to import dashboard which is using this sdk underlying, and we are seeing the secret being logged in our firewall logs, and server logs. Basically, anyone who looks at this request (MITM style) can see our auth credentials without having to ssl decrypt the request.