Tech »  Topic »  Travis CI quietly fixed a bug that exposed secret keys

Travis CI quietly fixed a bug that exposed secret keys


From at least September 3 through September 10, public open-source code repositories that used Travis CI exposed their sensitive keys, credentials, and tokens to potential theft.

Travis CI – the CI being continuous integration – allows developers to automate processes for testing and building software. Developers using a CI system often deal with passwords, access tokens, and API keys that should not be exposed in public source code repositories and are thus typically stored separately as environmental variables.

Due to a flaw in the way Travis CI handled environmental variables, a public repository forked from another repo could file a pull request that would collect the secret environmental variables set in the original upstream repository.

And that's a serious security problem, particularly for such widely used software. As of 2019, Travis CI was used in more than 932,977 open-source projects and by more than 600,000 users [PDF]. A GitHub ...


Copyright of this story solely belongs to theregister.co.uk . To see the full text click HERE