Comments (8)
Looks reasonable.
from slack-cli.
@NateEag Thanks for the idea! My hesitation thus far is thinking through attack vectors this might open that could be considered "unreasonable". Thoughts? Prior art?
from slack-cli.
git's credential cache. https://git-scm.com/docs/git-credential-cache
from slack-cli.
@rockymadden I'm not a security expert, and I don't have a good answer off the top of my head, but I'll type about this for a bit and see if anything useful comes out.
If you populate the env variable from a file that's world- or group-readable, a local user could use this to see what command you use to fetch your Slack CLI token.
However, the way Slack CLI works now, local users can see the Slack token directly, since the token is stored in plain text.
Chewing on it some, I guess the curl
commands that specify the token directly might wind up in bash command history? That's one attack vector I've heard of that I hadn't thought about.
If that happens here, then the SLACK_CLI_TOKEN_CMD
would be giving a false sense of security, which is one of the worst things it could do.
I might also be wrong about how safe it is to store secret values in bash variables. I believe if a variable isn't exported, all the OS protections that apply to process memory should apply to them, and so they should be reasonably safe, but like I said, I'm not a security expert.
from slack-cli.
Reasonably correct.
Anyone with root privileges on a Linux machine can look in /proc and /mem and go digging. But you are supposed to trust them. Otherwise environment variables are reasonably secure. When they fail plenty of other things have failed too.
Bash command history is handled by the same file permissions that the .slack file has. If someone can look in your home directory and read file then they can read your history. But curl won't end up in that history because the history is only commands run from the prompt.
from slack-cli.
@NateEag and @shaleh If you both are good, I am as well.
from slack-cli.
@rockymadden if you mimic git you should be solid. The git config lets you specify a program to run when credentials are needed. This program takes known parameters and returns a password on stdout (which git is reading from via pipes). This way there is no leaking.
from slack-cli.
Given @shaleh 's comments I think we should be fine. What he described from git is what I've done.
I'm really busy right now (moving this weekend), so there won't be a PR from me right now.
If you're comfortable with the change as I made it in my dotfiles (linked above), feel free to go ahead and commit that patch yourself.
from slack-cli.
Related Issues (20)
- Error on delete function HOT 3
- Add support for passing token as argument
- allow send message as bot HOT 2
- slack init errors out on my mac HOT 3
- Presence and status changes HOT 1
- Number of unread messages
- Problem formatting piped output
- Feature Request: Add ability to set expire time on statuses HOT 1
- Feature Request: add support for chat.command API call
- Is this project maintained anymore HOT 2
- slack-cli autocomplete
- Is it possible to reply to slack threads? HOT 1
- Feature Request: custom ${bin} HOT 1
- Sending private message HOT 4
- Feature suggestion: Get status and presence
- Feature Request: Add support for threaded conversations
- status clearing HOT 1
- Feature Request: Plaintext messages
- Hanging in pipe friendliness code on Bamboo CI machines HOT 1
- Question: Reading Channels not possible? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slack-cli.