check without upload (Gemfile containing github tokens, security issue)
Hi
Our Gemfiles contain some github personal access tokens.
So I discovered veye check actually uploads the Gemfile, and public is the default, so we had to reset our tokens.
I would be nice if it was possible to do a check command without uploading the Gemfile.
As far as I can see there is no way for anyone to download the actual Gemfile (thus getting access to the tokens). Do you know if that is true?
I'm guessing only the versioneye developers has access to the uploaded files.
Comments (9)
-
reporter -
reporter Maybe I can avoid credentials in Gemfile.lock https://github.com/bundler/bundler/issues/3609
-
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
Hi @ComLock. VersionEye is not storing the original project files (Gemfile, Gemfile.lock). It doesn't matter which way you choose to create a project (API, URL, Upload, GitHub Integration, Bitbucket Integration), in all cases VersionEye will only parse the content of the file and then delete the file. We don't keep a copy of the original file.
-
@ComLock Beside that we don't parse for credentials in Gemfile or Gemfile.lock.
-
reporter What does the [Re Parse Now] button do? I thought it reparsed the uploaded Gemfile.lock
-
@ComLock It re parses the original version strings. The projectdependency model has this 3 variables
- version_label
- version_requested
- version_current
In the
version_label
we always store the origin version string from the file. For example1.2.*
. At the moment of the parsing it gets resolved to the currently newest patch version, for example1.2.1
, and that value is stored inversion_requested
. If you hit the "re parse" button that value get evaluated again and now the newest patch version might be1.2.2
. -
@ComLock If your project is created from "URL" or via the GitHub/Bitbucket API, then the "re parse" button is first fetching the file from the original source and then re parsing everything. In case of a file upload the first step is skipped.
-
reporter Thank you for that information.
- Log in to comment
Basically unless we strip the tokens from our Gemfiles before uploading, this prevents us from using versioneye.