Potentially leaking keys, secrets and tokens

tonythomas01 / gdrive-to-commons

Tool to upload pictures from Google Drive to Wikimedia Commons ⚠️ Moved to Wikimedia Gerrit, so this repo is read only.

https://gdrive-to-commons.toolforge.org/

Apache License 2.0

9 stars 10 forks source link

Potentially leaking keys, secrets and tokens #2

Closed David-Wobrock closed 5 years ago

David-Wobrock commented 5 years ago

Hi Tony, I'm not 100% sure what this project is about, but I just quickly browsing through it, quite somes keys, secrets and tokens of Google Accounts and Mediawiki are exposed.

You might want to revoke those before something bad happens https://github.com/tonythomas01/gdrive_to_commons/blob/master/gdrive_to_commons/local_settings_sample.py

tonythomas01 commented 5 years ago

Thank you for reporting @David-Wobrock. It definitely was a mistake to put it up there. Ideally the app should pull it from the env variables or some other secrets server.

On the bright side, I luckily foresaw this and altered the secrets a bit :D Like asdf in GOOGLE_CLIENT_ID = "518389157824-2osae11jasdfasdusercontent.com".

Anyway, I am going to set the value to generic human readable comments so that people can use it later.

In case you are interested: https://phabricator.wikimedia.org/T223541

David-Wobrock commented 5 years ago

Nice! (but I guess the tokens and secrets are still available in the git history, which can be found with some scraping tools)