Closed rdmulford closed 3 years ago
slack workspace tokens are considered secret, so should not be logged in any way.
The error message in the post message handler: https://github.com/target/captains-log/blob/97562c19fbc6c86bd2ba71ff3d8f7e35054911fd/src/handlers/postMessageHandler.js#L24
is logging slack url token in CI logs:
Channel not found at URL: xoxp-[REDACTED] TypeError: Only absolute URLs are supported
remove slack token url from log
exposing slack token is a security vulnerability
Expected Behavior
slack workspace tokens are considered secret, so should not be logged in any way.
Current Behavior
The error message in the post message handler: https://github.com/target/captains-log/blob/97562c19fbc6c86bd2ba71ff3d8f7e35054911fd/src/handlers/postMessageHandler.js#L24
is logging slack url token in CI logs:
Possible Solution
remove slack token url from log
Steps to Reproduce (for bugs)
Context
exposing slack token is a security vulnerability