Oauth token exposed in status page on task error
I notice that the token lorry uses to push/pull is exposed on the status page (in the debug information of the log) when a mirroring task exists with an error (I've snipped the actual token here):
DEBUG Config:
[config]
...
mirror-base-url-push = https://oauth2:<snip>@gitlab.gnome.org
mirror-base-url-fetch = https://oauth2:<snip>@gitlab.gnome.org
...
The API token is secretly set from the ansible vault so should definitely not be publicly exposed like this. I believe anyone with the token can push changes to the mirrored repos as if they were the lorry controller bot, which could be used to sneak malicious code into a mirror.
@jjardon I don't currently have time to follow this up, but believe there is a lorry controller config setting for the level of logging which could remove these debug messages. When it's fixed here we will want to get a new token generated and inserted into the ansible vault since the current one has been exposed. The debug messages may be useful though, in which case we may want to push an issue upstream to lorry.