search

target / captains-log

A continuous integration plugin that helps organize release information in slack
https://target.github.io/captains-log/
Other
31 stars 4 forks source link

bug(security): slack URL token being logged in error message #115

Closed rdmulford closed 3 years ago

rdmulford commented 3 years ago

Expected Behavior

slack workspace tokens are considered secret, so should not be logged in any way.

Current Behavior

The error message in the post message handler: https://github.com/target/captains-log/blob/97562c19fbc6c86bd2ba71ff3d8f7e35054911fd/src/handlers/postMessageHandler.js#L24

is logging slack url token in CI logs:

Channel not found at URL: xoxp-[REDACTED] TypeError: Only absolute URLs are supported

Possible Solution

remove slack token url from log

Steps to Reproduce (for bugs)

  1. configure captains log to post to an invalid channel
  2. look in ci logs for error message with slack token

Context

exposing slack token is a security vulnerability