From fd34a58e13cc59a4fe6dd384e0f6d0d63187879d Mon Sep 17 00:00:00 2001
From: Georgios Kalpakas <kalpakas.g@gmail.com>
Date: Sun, 5 Mar 2017 16:32:44 +0200
Subject: [PATCH] fix(aio): ensure `NGBUILDS_IO_KEY` is not printed

Gaining access to another PR's JWT, would allow faking that PR's author wrt to
GitHub team membership verification for as long as the JWT is valid (currently
90 mins).
---
 .../docs/01. VM setup - Set up secrets.md            | 12 ++++++++++--
 aio/scripts/deploy-preview.sh                        |  3 ++-
 scripts/ci/env.sh                                    |  1 +
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md b/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md
index b9d73bd722..7c3206886c 100644
--- a/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md	
+++ b/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md	
@@ -18,8 +18,8 @@ Necessary secrets:
 
 **Note:**
 `TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
-non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it currently not
-clear if/how they can be used in tests.
+non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it is currently
+not clear if/how they can be used in tests.
 
 
 ## Create secrets
@@ -33,6 +33,14 @@ clear if/how they can be used in tests.
    - Add it to `.travis.yml` under `addons -> jwt -> secure`.
      Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`
 
+**Note:**
+Due to [travis-ci/travis-ci#7223](https://github.com/travis-ci/travis-ci/issues/7223) it is not
+currently possible to use the JWT addon (as described above) for anything other than the
+`SAUCE_ACCESS_KEY` variable. You can get creative, though...
+
+**WARNING**
+TO avoid arbitrary uploads, make sure the `PREVIEW_DEPLOYMENT_TOKEN` is NOT printed in the Travis log.
+
 
 ## Save secrets on the VM
 
diff --git a/aio/scripts/deploy-preview.sh b/aio/scripts/deploy-preview.sh
index 9d8f383793..d624b3c4ef 100755
--- a/aio/scripts/deploy-preview.sh
+++ b/aio/scripts/deploy-preview.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
-set -eux -o pipefail
+# WARNING: NGBUILDS_IO_KEY should NOT be printed.
+set +x -eu -o pipefail
 
 
 INPUT_DIR=dist/
diff --git a/scripts/ci/env.sh b/scripts/ci/env.sh
index 40c30f6aeb..ceaf75c0e2 100755
--- a/scripts/ci/env.sh
+++ b/scripts/ci/env.sh
@@ -74,6 +74,7 @@ if [[ ${TRAVIS:-} ]]; then
 
   # If NGBUILDS_IO_KEY not set yet, export the NGBUILDS_IO_KEY using the JWT token that Travis generated and exported for SAUCE_ACCESS_KEY.
   # This is a workaround for travis-ci/travis-ci#7223
+  # WARNING: NGBUILDS_IO_KEY should NOT be printed
   export NGBUILDS_IO_KEY=${NGBUILDS_IO_KEY:-$SAUCE_ACCESS_KEY}
 
   # Used by karma and karma-chrome-launcher