GitHub Token exposed in output of greenkeeper-lockfile-upload

[anishkny]

I am not sure if this is intended

See "Upload greenkeeper-lockfile" step in anishkny/realworld-e2e-test/39

#!/bin/bash -eo pipefail
greenkeeper-lockfile-upload
To https://95fb272798b152e9ca05fcfba45acd90e72dd24a@github.com/anishkny/realworld-e2e-test
   9bdee0e..aa83790  HEAD -> greenkeeper/puppeteer-0.13.0

[razor-x]

Just noticed this. It's a very serious security issue. GitHub tokens have a wide permission scope. Ideally this project should use deploy tokens instead since they are restricted to pushing to the specific repo.

Until this is addressed I will have to redirect all output to /dev/null

[razor-x]

I looked into this more. Seems like deploy keys are supported but undocumented:

  let remote = `git@github.com:${info.repoSlug}`
  if (info.gitUrl) remote = info.gitUrl

  if (env.GH_TOKEN) {
    if (remote.slice(0, 5) !== 'https') remote = `https://github.com/${info.repoSlug}`
    const urlParsed = url.parse(remote)
    urlParsed.auth = env.GH_TOKEN
    remote = url.format(urlParsed)
  }

I've updated my CI configs to use deploy keys.

I think deploy keys should be recommended over tokens, and if using tokens the output should be redirected to hide it.

[paglias]

Any update on this?

[madorb]

@Realtin this is a fairly significant security issue, any chance someone can take a look at this? (And ideally document that Deploy Keys are also supported?)

[janl]

Sorry for the late reply here. Since this was undocumented behaviour, we didn’t catch this in time. I’ve pushed a branch that should address this. Would you fine folks here be able to to give it a spin & review?

Thanks a lot!

[betaorbust]

Is this still an open issue?