Page MenuHomePhabricator

[land-bot] Fix a bug where the unencrypted CONDUIT_TOKEN could be logged by subshells
ClosedPublic

Authored by jasonbcox on May 1 2020, 21:29.

Details

Summary

The caller provides their Conduit token so that land-bot can land the change as them.
Since this token is secret, we need to ensure it cannot be accidentally logged by subshells.

This also prevents malicious patches from stealing CONDUIT_TOKEN, though there's unlikely to
be a realizable attack vector here since the token is supplied by the caller in the first place.

Test Plan

First, see D5930 for reference.

CONDUIT_TOKEN=my-secret-token ./land-patch --dry-run -r D5930

Pre-patch, observe this output in the log:

+ echo my-secret-token

Post-patch, observe this output in the log:

CONDUIT_TOKEN: unbound variable

Diff Detail

Repository
rABC Bitcoin ABC
Branch
token-no-export
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 10547
Build 18905: Default Diff Build & Tests
Build 18904: arc lint + arc unit