fatal error compromises the token

Question

fatal error compromises the token

MoOx opened this issue 9 years ago · comments

Max Thirouin commented 9 years ago

see it by yourself https://travis-ci.org/putaindecode/putaindecode.fr#L8587

Any idea how to catch this to avoid the token to be compromised ?

dan smith · Answer 1 · Tue Apr 28 2015 19:10:46 GMT+0800 (China Standard Time)

@MoOx, which build number should i be looking at?

Max Thirouin · Answer 2 · Tue Apr 28 2015 19:27:19 GMT+0800 (China Standard Time)

Oh shit, travis didn't update the link. Let me take a look so I can find the build

Max Thirouin · Answer 3 · Tue Apr 28 2015 21:30:25 GMT+0800 (China Standard Time)

Well to reproduce, juste use an incorrect repo url like repo=https://$GH_TOKEN@github.com/WRONG/PROJECT.git.
When the git failure come, you will get a failure message with the repo url exposed :(

Max Thirouin · Answer 4 · Wed May 13 2015 14:11:34 GMT+0800 (China Standard Time)

So here is an output

> putaindecode.fr@0.0.0 _deploy /home/travis/build/putaindecode/putaindecode.fr
> GH_OWNER=putaindecode GH_PROJECT_NAME=putaindecode.fr ./scripts/deploy-to-gh-pages.sh -v

+set +o verbose
+git diff --exit-code --quiet --cached
++git log -n 1 --format=%s HEAD
+commit_title='Break things on purpose'
++git log -n 1 --format=%H HEAD
+commit_hash=b51086c4b059e57e49432bcca6b22b523ced2292
++git rev-parse --abbrev-ref HEAD
+previous_branch=HEAD
+'[' ']'
+'[' '!' -d dist ']'
++ls -A dist
+[[ -z 404.html
authors
c-est-quoi-putaindecode
CNAME
favicon.ico
feed.xml
humans.txt
icons
images
index.b51086c.js
index.css
index.html
posts
projets
tests.html
tests.js ]]
+disable_expanded_output
+'[' true ']'
+set +o xtrace
git fetch --force $repo $deploy_branch:$deploy_branch
remote: Invalid username or password.
fatal: Authentication failed for 'https://01aeb894368c34fe923b46607e80ed1cec85982d@github.com/putaindecode/putaindecode.fr.shit.git/'

(don't worry this token is dead)
In this example the remote url is wrong because I added a mistake in the repo. But if we can do something to prevent this, it would be great !

dan smith · Answer 5 · Wed May 13 2015 14:22:50 GMT+0800 (China Standard Time)

Cool, thanks for the example. I actually have been able to reproduce the issue already, and I'm working on a solution to filter the output of the commands that use $repo. I just haven't had the time to finish it. I'll let you know.

Max Thirouin · Answer 6 · Wed May 13 2015 14:34:27 GMT+0800 (China Standard Time)

Awesome !
Take your time :)

Claudia Meadows · Answer 7 · Tue Feb 14 2017 15:07:17 GMT+0800 (China Standard Time)

@X1011 Any ETA on this?

dan smith · Answer 8 · Mon Feb 27 2017 08:32:21 GMT+0800 (China Standard Time)

@isiahmeadows unfortunately, no; i have an idea for a solution, and i started implementing it, but i haven't had time to finish it.

jagged3dge · Answer 9 · Wed Dec 15 2021 11:39:18 GMT+0800 (China Standard Time)

@X1011 Could you, maybe, outline your idea here so that contributors could pick this up?

Or, in case you think it isn't an exhaustive solution, consumers could apply it on their own forks.