Aman-Mittal commented on code in PR #5388:
URL: https://github.com/apache/fineract/pull/5388#discussion_r2726652805
##########
fineract-doc/slack.gradle:
##########
@@ -0,0 +1,165 @@
+
+import groovy.json.JsonSlurper
+import java.time.Instant
+import java.time.ZoneId
+import java.time.format.DateTimeFormatter
+
+task updateSlackArchive {
+ group = 'documentation'
+ description = 'Fetches Slack messages and generates AsciiDoc archives'
+
+ def outputDir = file("${projectDir}/src/docs/en/chapters/slack_archive")
+ outputs.dir outputDir
+
+ doLast {
+ def token = System.getenv('SLACK_TOKEN')
Review Comment:
The Gradle task pulls Slack messages via the Slack API using a token from
SLACK_TOKEN. If this token is accidentally leaked (in build logs, CI cache,
config, etc), it could expose your Slack workspace. The script doesn’t include
any secure handling/obfuscation of the token – it’s passed raw to HTTP
connections.
Risk
Token might be logged in CI output.
Token could end up in Gradle caches, backups, or public artifacts if
misconfigured.
Slack rate/lifecycle issues (tokens expire or permissions change).
Mitigation ideas
Require encrypted secrets or use a tool, not raw env token.
Add explicit handling to avoid leaking token in logs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
