cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
Date Wed, 10 Aug 2016 22:48:20 GMT

    [ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416159#comment-15416159
] 

ASF GitHub Bot commented on CB-11528:
-------------------------------------

GitHub user shazron opened a pull request:

    https://github.com/apache/cordova-ios/pull/240

    CB-11528 - Remove verbose mode from xcrun in build.js to prevent logg…

    …ing of environment variables.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shazron/cordova-ios CB-11528

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cordova-ios/pull/240.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #240
    
----
commit 63ba2afb2d6ccb14d013cff9744f955db79a6a6f
Author: Shazron Abdullah <shazron@apache.org>
Date:   2016-08-10T22:46:04Z

    CB-11528 - Remove verbose mode from xcrun in build.js to prevent logging of environment
variables.

----


> Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
> ---------------------------------------------------------------------------------------
>
>                 Key: CB-11528
>                 URL: https://issues.apache.org/jira/browse/CB-11528
>             Project: Apache Cordova
>          Issue Type: Improvement
>          Components: iOS
>            Reporter: Meir Gottlieb
>            Assignee: Shazron Abdullah
>
> During the build process for IOS, xcrun is called with the "-v" option for verbose output.
As part of the output, xcrun prints out all the environment variables. This can be a security
issue on CI servers because CI servers often provide a way to store encrypted secrets that
are decrypted and put in environment variables during the build. When xcrun prints out all
the environment variables, the output on the CI server is then logged containing the unencrypted
versions of the secrets.
> Current the workaround is to use the --noSign option and then call xcrun directly. However,
it would be nice to remove the "-v" option when calling "xcrun" in Cordova.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message