{"id":5929,"date":"2017-05-08T22:04:39","date_gmt":"2017-05-09T03:04:39","guid":{"rendered":"https:\/\/rud.is\/b\/?p=5929"},"modified":"2018-03-07T17:18:10","modified_gmt":"2018-03-07T22:18:10","slug":"travis-ci-flaw-exposed-some-secure-environment-variable-contents","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","title":{"rendered":"Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents"},"content":{"rendered":"

Tagging this as #rstats<\/code>-related since many<\/em> R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure<\/a> to the Travis-CI folks letting them know they were leaking the contents of “secure” environment variables in the build logs.<\/p>\n

The TL;DR on “secure” environment variables is that they let you store secrets — such as OAuth keys or API tokens — ostensibly “securely” (they have to be decrypted to be used so someone\/something has they keys to do that so it’s not really “secure”). That is, they should not leak them in build logs. Except that they did…for a bit.<\/p>\n

As mentioned, this flaw was reported and is now fixed. Regen your “secrets” and keep an eye on Travis security announcements moving forward.<\/p>\n","protected":false},"excerpt":{"rendered":"

Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of “secure” environment variables in the build logs. The TL;DR on “secure” environment variables is that they […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[3,91],"tags":[810],"class_list":["post-5929","post","type-post","status-publish","format-standard","hentry","category-information-security","category-r","tag-post"],"yoast_head":"\nTravis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Travis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is\" \/>\n<meta property=\"og:description\" content=\"Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of “secure” environment variables in the build logs. The TL;DR on “secure” environment variables is that they […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2017-05-09T03:04:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-07T22:18:10+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents\",\"datePublished\":\"2017-05-09T03:04:39+00:00\",\"dateModified\":\"2018-03-07T22:18:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/\"},\"wordCount\":143,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"post\"],\"articleSection\":[\"Information Security\",\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/\",\"name\":\"Travis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"datePublished\":\"2017-05-09T03:04:39+00:00\",\"dateModified\":\"2018-03-07T22:18:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/05\\\/08\\\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Travis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","og_locale":"en_US","og_type":"article","og_title":"Travis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is","og_description":"Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of “secure” environment variables in the build logs. The TL;DR on “secure” environment variables is that they […]","og_url":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","og_site_name":"rud.is","article_published_time":"2017-05-09T03:04:39+00:00","article_modified_time":"2018-03-07T22:18:10+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents","datePublished":"2017-05-09T03:04:39+00:00","dateModified":"2018-03-07T22:18:10+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/"},"wordCount":143,"commentCount":2,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["post"],"articleSection":["Information Security","R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","url":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","name":"Travis-CI Flaw Exposed Some 'Secure' Environment Variable Contents - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2017-05-09T03:04:39+00:00","dateModified":"2018-03-07T22:18:10+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Travis-CI Flaw Exposed Some ‘Secure’ Environment Variable Contents"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1xD","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":81,"url":"https:\/\/rud.is\/b\/2011\/02\/08\/quick-hits-2011-02-08\/","url_meta":{"origin":5929,"position":0},"title":"Quick Hits :: 2011-02-08","author":"hrbrmstr","date":"2011-02-08","format":false,"excerpt":"Security Originally meant to improve the security of jailbroken iOS devices, antid0te is now also available for OS X Snow Leopard thanks to the efforts of Stefan Esser. Since Apple engineers did not see fit to load the dynamic linker - dyld - at a random base address, they left\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":727,"url":"https:\/\/rud.is\/b\/2011\/12\/30\/three-resolutions-for-web-developers\/","url_meta":{"origin":5929,"position":1},"title":"Three Resolutions For Web Developers","author":"hrbrmstr","date":"2011-12-30","format":false,"excerpt":"I'm on a \"three things\" motif for 2012, as it's really difficult for most folks to focus on more than three core elements well. This is especially true for web developers as they have so much to contend with on a daily basis, whether it be new features, bug reports,\u2026","rel":"","context":"In "Breach"","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":11765,"url":"https:\/\/rud.is\/b\/2019\/01\/14\/splashr-0-6-0-now-uses-the-cran-nascent-stevedore-package-for-docker-orchestration\/","url_meta":{"origin":5929,"position":2},"title":"splashr 0.6.0 Now Uses the CRAN-nascent stevedore Package for Docker Orchestration","author":"hrbrmstr","date":"2019-01-14","format":false,"excerpt":"The splashr package [srht|GL|GH] \u2014 an alternative to Selenium for javascript-enabled\/browser-emulated web scraping \u2014 is now at version 0.6.0 (still in dev-mode but on its way to CRAN in the next 14 days). The major change from version 0.5.x (which never made it to CRAN) is a swap out of\u2026","rel":"","context":"In "R"","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3469,"url":"https:\/\/rud.is\/b\/2015\/06\/19\/do-something-nifffty-with-r\/","url_meta":{"origin":5929,"position":3},"title":"DO Something Nifffty with R","author":"hrbrmstr","date":"2015-06-19","format":false,"excerpt":"@briandconnelly (of [pushoverr](http:\/\/crantastic.org\/authors\/4002) fame) made a super-cool post about [connecting R](http:\/\/bconnelly.net\/2015\/06\/connecting-r-to-everything-with-ifttt\/) to @IFTTT via IFTTT's \"Maker\" channel. The IFTTT Maker interface to receive events is fairly straightforward and Brian's code worked flawlessly, so it was easy to tweak a bit and [wrap into a package](https:\/\/github.com\/hrbrmstr\/nifffty). To get started, you can\u2026","rel":"","context":"In "Apple Watch"","block_context":{"text":"Apple Watch","link":"https:\/\/rud.is\/b\/category\/apple-watch\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6491,"url":"https:\/\/rud.is\/b\/2017\/09\/28\/sodd-stackoverflow-driven-development\/","url_meta":{"origin":5929,"position":4},"title":"SODD \u2014 StackOverflow Driven-Development","author":"hrbrmstr","date":"2017-09-28","format":false,"excerpt":"I occasionally hang out on StackOverflow and often use an answer as an opportunity to fill a package void for a particular need. docxtractr and qrencoder are two (of many) packages that were birthed from SO answers. I usually try to answer with inline code first then expand the functionality\u2026","rel":"","context":"In "R"","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":249,"url":"https:\/\/rud.is\/b\/2011\/02\/26\/never-a-better-time-to-baseline\/","url_meta":{"origin":5929,"position":5},"title":"Never A Better Time To Baseline","author":"hrbrmstr","date":"2011-02-26","format":false,"excerpt":"If you're preparing to install Windows 7 or Windows Server 2008 R2 Service Pack 1, now would be a good time to give Microsoft's Attack Surface Analyzer a spin. ASA takes a baseline snapshot of your system state and then lets you take another snapshot after any configuration change or\u2026","rel":"","context":"In "Drivers"","block_context":{"text":"Drivers","link":"https:\/\/rud.is\/b\/category\/drivers\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=5929"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5929\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=5929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=5929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=5929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}