Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure #11

Open
Daniel15 opened this issue Jul 31, 2017 · 7 comments
Open

Insecure #11

Daniel15 opened this issue Jul 31, 2017 · 7 comments

Comments

@Daniel15
Copy link

This approach seems very insecure to me. If GH_AUTH_TOKEN is exposed to pull requests, someone could simply add echo $GH_AUTH_TOKEN to the circle.yml, send a pull request, and see the token!
@giladgray
Copy link
Collaborator

@Daniel15 can you propose a more secure approach?

environment variables is the typical solution to such things. i suggest creating a bot account with limited privileges and using its GH_AUTH_TOKEN, rather than using your personal account (example comment).

@Daniel15
Copy link
Author

Daniel15 commented Aug 1, 2017
edited
Loading

The best approach is to use a webhook on a server / hosting service that you control. That way, the GitHub token has no risk of leaking (assuming that you don't do something silly like output it as part of an error message 😛 ). As an example of a CircleCI webhook, we use some webhooks with Yarn to archive master/nightly builds, and to release RC/stable builds: https://github.com/yarnpkg/yarn/blob/master/circle.yml#L56-L59

You could throw it onto Zeit Now or Heroku for something that's relatively easy to get started with. You could offer this as a hosted service for example, where people can log in and you store the access token. This has less risk of leaking the access token. Of course, someone could always clone the repo and host the script themselves for the best security.

@tusbar
Copy link

tusbar commented Aug 28, 2017

@Daniel15 not really, this is disabled by default on CircleCI

screen shot 2017-08-28 at 6 32 51 pm

@Daniel15
Copy link
Author

this is disabled by default on CircleCI

But then how would this project even work? Its purpose is to comment on pull requests, right?

@giladgray
Copy link
Collaborator

giladgray commented Sep 6, 2017
edited
Loading

one project that uses this package has a section in CONTRIBUTING.md to instruct external contributors how to enable the bot for their forks: https://github.com/palantir/blueprint/blob/master/CONTRIBUTING.md#enable-preview-comments

@giladgray
Copy link
Collaborator

the bot works fine for folks who have access to the real circle containers (ie, core contributors / the team). external folks who fork it have to create their own GH token for the bot to use when posting the comment. this has worked very well for us in practice.

@Daniel15
Copy link
Author

Daniel15 commented Sep 6, 2017

one project that uses this package has a section in CONTRIBUTING.md to instruct external contributors how to enable the bot for their forks

This sounds reasonable to me! 😃

I just launched a GitHub App to track the size of build artifacts (https://buildsize.org/), I might take some inspiration from this project and update it to include links to the artifacts too. Currently it just lists the file sizes.

Daniel15 added a commit to Daniel15/BuildSize that referenced this issue Sep 6, 2017
@Daniel15
Link to build artifacts in comments.
0e39cd8 
Closes #14
References themadcreator/circle-github-bot#11
@pathmapper pathmapper mentioned this issue Nov 1, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Daniel15 @tusbar @giladgray