HackerTrans
トップ新着トレンドコメント過去質問紹介求人

thyrfa

no profile record

コメント

thyrfa
·11 か月前·議論
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
thyrfa
·11 か月前·議論
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
thyrfa
·11 か月前·議論
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...