Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents

Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of “secure” environment variables in the build logs.

The TL;DR on “secure” environment variables is that they let you store secrets — such as OAuth keys or API tokens — ostensibly “securely” (they have to be decrypted to be used so someone/something has they keys to do that so it’s not really “secure”). That is, they should not leak them in build logs. Except that they did…for a bit.

As mentioned, this flaw was reported and is now fixed. Regen your “secrets” and keep an eye on Travis security announcements moving forward.

Cover image from Data-Driven Security
Amazon Author Page

2 Comments Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents

  1. Pingback: Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents | A bunch of data

  2. Pingback: Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents – Mubashir Qasim

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.