Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential key leak #3

Open
pyhedgehog opened this issue May 13, 2016 · 1 comment
Open

Potential key leak #3

pyhedgehog opened this issue May 13, 2016 · 1 comment

Comments

@pyhedgehog
Copy link

Let's pretend following scenario:

$ fantastic-hookio-cli hook create echo
{"error":true,"message":"\"anonymous\" does not have the role \"hook::update\" which is required to access \"/admin\"\n\nIf you are the owner of this resource try logging in at https://hook.io/login\n\nIf any access keys have been created you can also provide a `hook_private_key` parameter to access the service.","user":"anonymous","role":"hook::update","type":"unauthorized-role-access"}
$ export hook_private_key=12345
$ fantastic-hookio-cli hook create echo
{
  "status": "created",
  "hook": {
    "ctime": 1463162172503,
    "mtime": 1463162172503,
    "name": "echo",
...
    "_rev": "1-eb2043385b3681156281afc2b73fc331",
    "id": "90f540533710a16e333d3bd33b764aea",
    "hookSource": "code"
  }
}

Then you want to run this hook (or some other hook) and forgot to unset $hook_private_key:

$ hook marak/echo
{ hook_private_key: '12345', param1: 'foo', param2: 'bar' }

BTW: I have "fantastic-hookio-cli" skeleton with sketch of hook.io-sdk-python. 😉 Are you interested?

@Marak
Copy link
Collaborator

Marak commented May 13, 2016

Yes please!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants