4

I have been working on a code review of a project. The source code is publicly available on Github.

I came across a file "travis.yml". In that file, I am able to see the secure api_key as shown in the screenshot.

I strongly believe that it is a security defect. However, I cannot prove that because I am not sure how an attacker can use that api_key.

Hence please let me know if it is a security defect and necessary justification to prove that. I have blurred few details in the screenshot because of security reasons.

enter image description here

Sai Dutt Mekala
  • 343
  • 2
  • 10

2 Answers2

2

By publicly announcing your API keys - including the associated email address! - you give (ab)users the chance to pose as the legit developer and misuse the API in question. This might lead to you being banned from using the API, damage your reputation or other more serious problems depending on the API in question.

GitHub themselves wrote a blog post about that issue in 2013.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
2

As the Travis CI documentation on encrypted environment variables notes:

Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.

[...]

Encryption and decryption keys are tied to the repository. If you fork a project and add it to Travis CI, it will not have access to the encrypted variables.

This is an encrypted API key and is designed to be included in .travis.yml files as you stumbled across above. Only the author's repository can actually use that encrypted API key as is.

EdOverflow
  • 1,246
  • 8
  • 21