-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make accidental publishing of security tokens less likely #123
Comments
I would like to work on a fix for this. I was thinking of a precommit hook or script that checks wether a config file exists and a variable of name Perhaps setting an env variable is better? |
Hmm, requiring a config file to exist will be an obstacle for a developer only looking to commit a small fix, without setting up a local testing environment. It will also not be effective in stopping the kind of mistake we made in #114 where the token was published without any commit being made. Reading the secret from an environment variable would indeed be better. It would separate the secret from the other, less sensitive, configuration properties. When the user shares her less sensitive configuration properties, she will be much less likely to also share a separated secret. Please note however that environment variables are not in general secure places to store secrets. Typically, every process in the operating system will be able to read the environment variables of a process. Files on the other hand can have read restrictions. I'm not sure if environment variable security has improved in more recent operating systems. It is also quite common for troubleshooting tools to log the entire environment, which would reveal the token unintentionally. I think there's also a mechanism in Next for automatically sharing parts of the server process's environment with the client browser, but I think it only shares variables named according to a certain pattern, specifically to avoid this kind of leak. Other framework tools might not be so careful. |
After some time marinating with this issue I am now wondering a bit about the issue. Since we have functionality to read the config from This leaves me with two toughts: |
Yes, I think you're right that our What happened in #114 is that we copied configuration files into an issue description. By sharing the complete configuration, we also shared a GitHub access token. Moving the access tokens to a separate file would help a little. Moving access tokens to in memory-only, with some kind of admin UI to configure them, would help more, but would make restarting instances too cumbersome. Removing access tokens would be much better and it might be possible. Lyra only uses GitHub access tokens to create pull requests. We do not intend for translators to create pull requests, only Lyra administrators and project developers should create pull requests. These kinds of users are probably already signed in to GitHub with their browser or could sign in if requested. That's sufficient to create pull requests with https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/using-query-parameters-to-create-a-pull-request I think that's what's #17 is about. It would have other benefits too: the PR would be created by the user clicking the button, not the user who set up the Lyra instance. |
From #114, where I accidentally included the
github_token
value from myprojects.yaml
as part of my example.The text was updated successfully, but these errors were encountered: