git-directory-deploy icon indicating copy to clipboard operation
git-directory-deploy copied to clipboard

Published 20 hours ago verified publisher icon X1011

fatal error compromises the token

Open MoOx opened this issue 10 years ago • 9 comments

see it by yourself https://travis-ci.org/putaindecode/putaindecode.fr#L8587

Any idea how to catch this to avoid the token to be compromised ?

MoOx avatar Apr 28 '15 08:04 MoOx

@MoOx, which build number should i be looking at?

X1011 avatar Apr 28 '15 11:04 X1011

Oh shit, travis didn't update the link. Let me take a look so I can find the build

MoOx avatar Apr 28 '15 11:04 MoOx

Well to reproduce, juste use an incorrect repo url like repo=https://[email protected]/WRONG/PROJECT.git. When the git failure come, you will get a failure message with the repo url exposed :(

MoOx avatar Apr 28 '15 13:04 MoOx

So here is an output

> [email protected] _deploy /home/travis/build/putaindecode/putaindecode.fr
> GH_OWNER=putaindecode GH_PROJECT_NAME=putaindecode.fr ./scripts/deploy-to-gh-pages.sh -v

+set +o verbose
+git diff --exit-code --quiet --cached
++git log -n 1 --format=%s HEAD
+commit_title='Break things on purpose'
++git log -n 1 --format=%H HEAD
+commit_hash=b51086c4b059e57e49432bcca6b22b523ced2292
++git rev-parse --abbrev-ref HEAD
+previous_branch=HEAD
+'[' ']'
+'[' '!' -d dist ']'
++ls -A dist
+[[ -z 404.html
authors
c-est-quoi-putaindecode
CNAME
favicon.ico
feed.xml
humans.txt
icons
images
index.b51086c.js
index.css
index.html
posts
projets
tests.html
tests.js ]]
+disable_expanded_output
+'[' true ']'
+set +o xtrace
git fetch --force $repo $deploy_branch:$deploy_branch
remote: Invalid username or password.
fatal: Authentication failed for 'https://[email protected]/putaindecode/putaindecode.fr.shit.git/'

(don't worry this token is dead) In this example the remote url is wrong because I added a mistake in the repo. But if we can do something to prevent this, it would be great !

MoOx avatar May 13 '15 06:05 MoOx

Cool, thanks for the example. I actually have been able to reproduce the issue already, and I'm working on a solution to filter the output of the commands that use $repo. I just haven't had the time to finish it. I'll let you know.

X1011 avatar May 13 '15 06:05 X1011

Awesome ! Take your time :)

MoOx avatar May 13 '15 06:05 MoOx

@X1011 Any ETA on this?

dead-claudia avatar Feb 14 '17 07:02 dead-claudia

@isiahmeadows unfortunately, no; i have an idea for a solution, and i started implementing it, but i haven't had time to finish it.

X1011 avatar Feb 27 '17 00:02 X1011

@X1011 Could you, maybe, outline your idea here so that contributors could pick this up?

Or, in case you think it isn't an exhaustive solution, consumers could apply it on their own forks.

jagged3dge avatar Dec 15 '21 03:12 jagged3dge