FactoryGirl.NET icon indicating copy to clipboard operation
FactoryGirl.NET copied to clipboard

Published 20 hours ago verified publisher icon JamesKovacs

NuGet API Key Exposed

Open jamesottaway opened this issue 10 years ago • 2 comments

This is Very Bad™.

I tested it by pushing zzzzzzzzzzzzzzzzzzzzzzzzzz to nuget.org.

I would strongly recommend:

  • removing this API key from the repo
  • changing the NuGet password for the factorygirl account

jamesottaway avatar May 07 '14 01:05 jamesottaway

Thanks for the heads-up. I have removed the NuGet API Key, but it is still in the history. I will reset the API key once I receive permissions to do so. (Someone else set up the NuGet feed.)

JamesKovacs avatar May 09 '14 16:05 JamesKovacs

Awesome!

I'm assuming you're getting access to the factory_girl account on nuget.org, but if you can only get access to the FactoryGirl.NET package as an owner, you'll want to scrub the API key out of the repo history.

There's a good GitHub Help article on removing sensitive data.

Side note: does nuget.org support organisation accounts, similar to how GitHub does it?

jamesottaway avatar May 10 '14 00:05 jamesottaway