fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

Security: do not copy GitHub OAuth tokens to fossa.yml cli project field, security credential leakage highly likely

Open HariSekhon opened this issue 5 years ago • 3 comments

When fossa cli's fossa init generates .fossa.yml it copies the Git URL verbatim including the GitHub OAuth token from the git remote in to the .fossa.yml which could then get committed, publicly exposing the OAuth token.

It should strip https://<token>@github.com/....

This probably applies to other git repo systems too should be a generalized https?://token@ strip.

HariSekhon avatar Mar 12 '20 11:03 HariSekhon

Hi @HariSekhon this is really interesting, do you still this behavior happening with the latest version of the fossa cli?

zlav avatar May 21 '22 00:05 zlav

I haven't used fossa in a long time, but installing the latest CLI and trying again gives this:

$ fossa --version
fossa-cli version 3.3.0 (revision b75c9f797767 compiled with ghc-9.0)

$ fossa init
The 'init' command has been deprecated and no longer has any effect.  You may safely remove this command.

HariSekhon avatar May 22 '22 11:05 HariSekhon

It has a similar issue with the foss analyze command though:

[ INFO] Analyzing setuptools project at /private/tmp/pylib/
[ INFO] 
[ INFO] Scan Summary
[ INFO] ------------
[ INFO] fossa-cli version 3.3.0 (revision b75c9f797767 compiled with ghc-9.0)
[ INFO] 
[ INFO] 1 projects scanned;  0 skipped,  1 succeeded,  0 failed,  1 analysis warning
[ INFO] 
[ INFO] * setuptools project in "/private/tmp/pylib/": succeeded with 1 warning
[ INFO] -
[ INFO] 
[ INFO]   Some projects may not appear in the summary if they were filtered during discovery.
[ INFO]   You can run `fossa list-targets` to see all discoverable projects.
[ INFO] 
[ INFO] You can pass `--debug` option to eagerly show all warning and failure messages.
[ INFO] You can also view analysis summary with warning and error messages at: "/private/var/folders/30/kxjrq3fj5tqdhsvbj3p9m2fh0000gq/T/fossa-analyze-scan-summary.txt"
[ INFO] ------------
[ INFO] 
[ INFO] Using project name: `https://ghp_<MYTOKEN>@github.com/HariSekhon/pylib.git`
[ INFO] Using revision: `ad20cbbc893b9569210fa367cde61aaccf84b9e8`
[ INFO] Using branch: `master`
[ INFO] ============================================================
[ INFO] 
[ INFO]     View FOSSA Report:
[ INFO]     https://app.fossa.com/projects/custom%2b16526%2fgithub.com%2fHariSekhon%2fpylib/refs/branch/master/ad20cbbc893b9569210fa367cde61aaccf84b9e8
[ INFO] 
[ INFO] ============================================================

HariSekhon avatar May 22 '22 11:05 HariSekhon