Composer leaks contents of tokens configured as GitHub OAuth tokens

damienwebdev

I was the reporter on this one. If you have Github Actions in your organization, disable them immediately if you're unsure which version of composer your Github Actions run.

Normal_gaussian

GHA have always been a PITA for any serious DevOps; it's quite clear they were designed to integrate in 7 lines of code and then tell everyone who complains that they're doing it wrong. This does not surprise me.

esafak

The title suggests it is a Github issue but really it is https://github.com/composer/composer no? I would edit the title for clarity.

euph0ria

What is the security implication for private repos?

h1fra

the title is incorrect; it's not a github error but php composer's github action. cc @dang before people freak out

ShowalkKama

I may be silly but why would you ever want to validate the structure of an opaque authentication key? Couldn't you just hit an harmless endpoint (e.g. /rate_limit) to see if it returns 401 or not?

micksmix

This is also a good reminder to scan CI logs, not just source code. Shameless plug: I work on Kingfisher, an Apache 2.0 OSS secret scanner and validator written in Rust, that can also map blast radius and revoke many creds: < https://github.com/mongodb/kingfisher > It can scan repos, history, and artifacts and validate many findings against provider APIs, as well as revoke many exposed tokens directly from the CLI. Also generates a blast-radius/access-map view so you can see what a leaked credential could reach. Install: brew install kingfisher # or uv tool install kingfisher-bin Scan a local path: kingfisher scan /path/to/scan --access-map --view-report Or scan a GitHub/GitLab repo directly: kingfisher scan https://github.com/path/to/repo.git --access-map --view-report