search

vlocityinc / vlocity_build

Vlocity Build is a command line tool to export and deploy Vlocity DataPacks in a source control friendly format through a YAML Manifest describing your project. Its primary goal is to enable Continuous Integration for Vlocity Metadata through source control. It is written as a Node.js module.
MIT License
115 stars 98 forks source link

Exposed sensitive token information #468

Closed pawel-id closed 2 years ago

pawel-id commented 2 years ago

VBT on start is printing sensitive information containing current token (Access Token) and authorization url (Sfdx Auth Url). For continuous integration environments where console logs are available for developers to see actual progress and error logs it may lead to breach access information to production orgs.

  Vlocity Build v1.15.2
  Org >> sc2
  Using SFDX >> sc2
  Refreshing SFDX Session >> sc2
=== Org Description
KEY              VALUE
───────────────  ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Access Token     00D1j000000Exac!AREAQOjIG7rDVbGsTowV2.Qy5sngSibpzJFDO6yQmUTZo6x1CdGQuQYgQG_s4zrN0s2V7LQnbhPUR848rCgMIn.2_OoKRP9F
Alias            sc2
Client Id        PlatformCLI
Created By       cicd@orange.com.navio
Created Date     2022-05-15T07:07:20.000+0000
Dev Hub Id       cicd@orange.com
Expiration Date  2022-06-14
Id               00D1j000000ExacEAC
Instance Url     https://rockyroad-chocolate-2973.cs102.my.salesforce.com
Org Name         Orange Polska
Sfdx Auth Url    force://PlatformCLI::5Aep861ybeDfdtD3GX9UAIYpp18ET51PIGsfeCDaGrIrAYUTK5BR6UJihiLM_aQuuWrOFGOf9Oql0bLnzM2oIEO@rockyroad-chocolate-2973.cs102.my.salesforce.com
Status           Active
Username         test-1xxay2mjrbyh@example.com

Please advice how to prevent to display this information or disable this. Thanks

Regards Paweł Idczak

jfgarcia268 commented 2 years ago

@pawel-id https://github.com/vlocityinc/vlocity_build/pull/472 @rutlabaga FYI...