search

scriptburn / git-auto-deploy

Deploy your GitHub, GitLab or Bitbucket projects automatically on Git push events or web hooks
311 stars 70 forks source link

Just a small security improve #10

Closed galdazbiz closed 6 years ago

galdazbiz commented 6 years ago

I think there's not limit of attempts to login, I'd be perfect to implement that to avoid a potential hacker to get that password and try luck with the rest of the services ;) Also, it would be perfect to add no robots to the index headers to make hacker's life a bit more interesting

galdazbiz commented 6 years ago

In the mean time I've put another protection layer with .htpassword and in the templates, when you link to css and js <link href="{{ base_url() }}/assets/css/material.min.css" rel="stylesheet"/> I think you can take out this {{ base_url() }} from all of them because is giving problems with chrome and the deprecated embedded credentials. Additionally the webroute for the webhook is too easy, if you deploy to production with this be carefull as anyone potentially hack it. I've changed that route to a very long one, and protect that route on the server side so just github can connect there and execute

scriptburn commented 6 years ago

Hi, There is no need of .htpassword to embed in project as there is already a login page , If you think you need to add one more layer of protection you can protect individual install with .htpassword ,

I don't understand about your concern regarding the use of base_url() function, what exactly the problem it is causing in chrome ? and what do you mean by "deprecated embedded credentials"

Regarding the webhook being too easy, If you look in the individual repo handler service app/src/Services/GitHubService.php app/src/Services/GitLabService.php app/src/Services/BitBucketService.php

each one of them are having a function validate() which has the sole purpose to protect unauthorised request by using 'secret' where the repo supports it or by checking if request is coming from the ip range to which service belongs

galdazbiz commented 6 years ago

1) Perfect 2) https://medium.com/@lmakarov/say-goodbye-to-urls-with-embedded-credentials-b051f6c7b6a3 3) You're right

The thing I want a second layer is because as this is a public accesible code, anyone can check for inconsistencies, bugs to exploit, not sure if I have to worry too much about it or not, I'm not supper experienced hehe