[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.

Wed, 10 Aug 2016 15:48:34 -0700 

    [ 
https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416159#comment-15416159
 ] 

ASF GitHub Bot commented on CB-11528:
-------------------------------------

GitHub user shazron opened a pull request:

    https://github.com/apache/cordova-ios/pull/240

    CB-11528 - Remove verbose mode from xcrun in build.js to prevent logg…

    …ing of environment variables.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shazron/cordova-ios CB-11528

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cordova-ios/pull/240.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #240
    
----
commit 63ba2afb2d6ccb14d013cff9744f955db79a6a6f
Author: Shazron Abdullah <[email protected]>
Date:   2016-08-10T22:46:04Z

    CB-11528 - Remove verbose mode from xcrun in build.js to prevent logging of 
environment variables.

----


> Remove verbose mode from xcrun in build.js to prevent logging of environment 
> variables.
> ---------------------------------------------------------------------------------------
>
>                 Key: CB-11528
>                 URL: https://issues.apache.org/jira/browse/CB-11528
>             Project: Apache Cordova
>          Issue Type: Improvement
>          Components: iOS
>            Reporter: Meir Gottlieb
>            Assignee: Shazron Abdullah
>
> During the build process for IOS, xcrun is called with the "-v" option for 
> verbose output. As part of the output, xcrun prints out all the environment 
> variables. This can be a security issue on CI servers because CI servers 
> often provide a way to store encrypted secrets that are decrypted and put in 
> environment variables during the build. When xcrun prints out all the 
> environment variables, the output on the CI server is then logged containing 
> the unencrypted versions of the secrets.
> Current the workaround is to use the --noSign option and then call xcrun 
> directly. However, it would be nice to remove the "-v" option when calling 
> "xcrun" in Cordova.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to