search

thoth-station / kebechet

I'm Kebechet bot, goddess of freshness - I will keep your source code fresh and up-to-date
24 stars 20 forks source link

Logs leak access token #1123

Closed codificat closed 2 years ago

codificat commented 2 years ago

Bug description

When looking at the logs of a kebechet workflow run, I noticed this towards the beginning:

2022-08-31 11:21:58,404   1 INFO     kebechet.utils:59: Cloning repository https://username:token@github.com/thoth-station/s2i-minimal-notebook to .

Steps to Reproduce

Steps to reproduce the behavior:

  1. Trigger an action that results in a Kebechet manager cloning a repo
  2. Look at the logs of the resulting workflow execution
  3. Find the gh access token in the logs

Actual behavior

Logs include access credentials in plain text

Expected behavior

No credentials are leaked to the logs

Environment information

Kebechet v1.10.3

Additional context

The offending line is: https://github.com/thoth-station/kebechet/blob/c864a6babfa2727392dd62b56915739cc3c5b051/kebechet/utils.py#L59

codificat commented 2 years ago

/sig user-experience /priority important-soon

harshad16 commented 2 years ago

About regenerating the token, the github app token for installation expire in 8 hours https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#user-token-revoked-due-to-github-app-configuration