algoliasearch-netlify icon indicating copy to clipboard operation
algoliasearch-netlify copied to clipboard

Published 20 hours ago verified publisher icon algolia

Sensitive values in the logs

Open ehmicky opened this issue 5 years ago • 3 comments

Does the /api/1/netlify/crawl response include any secure/sensitive values?

The response might be printed by one of the following statements:

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L81

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L91

https://github.com/algolia/algoliasearch-netlify/blob/601d32efd6cf18dbbd81e018fecc2c7cd2e427bc/plugin/src/index.ts#L99

Netlify build logs are sometimes public, in which case there would be a risk for those sensitive values to be made public as well. However, if this endpoint does not respond with any sensitive values, then this is not a concern. I am raising this up just to be 100% sure :)

ehmicky avatar Sep 28 '20 13:09 ehmicky

Netlify build logs are sometimes public

Ah we did not knew that. We don't output anything more than ids, which are protected by ACL. But the response error log could leak a token indeed.

bodinsamuel avatar Sep 29 '20 15:09 bodinsamuel

Worst case scenario, it will leak the API key. While not ideal, all this gives access to is the ability to trigger a crawl, and I don't see many scenarii where this would be abused maliciously.

Jerska avatar Sep 29 '20 16:09 Jerska

This seems fairly important, has it been addressed?

IanVS avatar Nov 22 '22 16:11 IanVS