circle-github-bot icon indicating copy to clipboard operation
circle-github-bot copied to clipboard

Published 20 hours ago verified publisher icon themadcreator

Insecure

Open Daniel15 opened this issue 8 years ago • 7 comments

This approach seems very insecure to me. If GH_AUTH_TOKEN is exposed to pull requests, someone could simply add echo $GH_AUTH_TOKEN to the circle.yml, send a pull request, and see the token!

Daniel15 avatar Jul 31 '17 00:07 Daniel15

@Daniel15 can you propose a more secure approach?

environment variables is the typical solution to such things. i suggest creating a bot account with limited privileges and using its GH_AUTH_TOKEN, rather than using your personal account (example comment).

giladgray avatar Jul 31 '17 19:07 giladgray

The best approach is to use a webhook on a server / hosting service that you control. That way, the GitHub token has no risk of leaking (assuming that you don't do something silly like output it as part of an error message 😛 ). As an example of a CircleCI webhook, we use some webhooks with Yarn to archive master/nightly builds, and to release RC/stable builds: https://github.com/yarnpkg/yarn/blob/master/circle.yml#L56-L59

You could throw it onto Zeit Now or Heroku for something that's relatively easy to get started with. You could offer this as a hosted service for example, where people can log in and you store the access token. This has less risk of leaking the access token. Of course, someone could always clone the repo and host the script themselves for the best security.

Daniel15 avatar Aug 01 '17 03:08 Daniel15

@Daniel15 not really, this is disabled by default on CircleCI

screen shot 2017-08-28 at 6 32 51 pm

tusbar avatar Aug 28 '17 16:08 tusbar

this is disabled by default on CircleCI

But then how would this project even work? Its purpose is to comment on pull requests, right?

Daniel15 avatar Aug 28 '17 16:08 Daniel15

one project that uses this package has a section in CONTRIBUTING.md to instruct external contributors how to enable the bot for their forks: https://github.com/palantir/blueprint/blob/master/CONTRIBUTING.md#enable-preview-comments

giladgray avatar Sep 06 '17 02:09 giladgray

the bot works fine for folks who have access to the real circle containers (ie, core contributors / the team). external folks who fork it have to create their own GH token for the bot to use when posting the comment. this has worked very well for us in practice.

giladgray avatar Sep 06 '17 02:09 giladgray

one project that uses this package has a section in CONTRIBUTING.md to instruct external contributors how to enable the bot for their forks

This sounds reasonable to me! 😃

I just launched a GitHub App to track the size of build artifacts (https://buildsize.org/), I might take some inspiration from this project and update it to include links to the artifacts too. Currently it just lists the file sizes.

Daniel15 avatar Sep 06 '17 03:09 Daniel15