From 1a514b591416f99511667b3f06a00822f4db1f35 Mon Sep 17 00:00:00 2001 From: Laila Winner Date: Thu, 2 Feb 2017 10:08:29 -0800 Subject: [PATCH] Update SECURITY.md * Update SECURITY.md per feedback in https://github.com/houndci/hound/issues/1087. Clarify that GitHub tokens are encrypted and encoded using `ActiveSupport::MessageEncryptor`. https://trello.com/c/KOdHjZUN/757-update-security-md --- doc/SECURITY.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/doc/SECURITY.md b/doc/SECURITY.md index 4ca2891bc..d72c4dcb9 100644 --- a/doc/SECURITY.md +++ b/doc/SECURITY.md @@ -48,17 +48,22 @@ Using OAuth2 means we do not access your GitHub password and that you can revoke our access at any time. Your GitHub token is needed in order to fetch file content, comments, repo -information and update Pull Request status. This token is stored in our -Postgres database on Heroku and is base64 encoded using a protected key. +information and update Pull Request status. This token is encrypted and encoded +using `ActiveSupport::MessageEncryptor` and stored in our Postgres database on Heroku. +`ActiveSupport::MessageEncryptor` [uses `aes-256-cbc`][message-encryptor] +for encryption and base64 for encoding. To browse the portions of the codebase related to authentication, try `grep`ing for the following terms: ```bash grep -R omniauth app -grep -R github_token app +grep -R token app ``` +[message-encryptor]: +https://github.com/rails/rails/blob/2af7338bdf32790a28e388a99dada84db0af1b5f/activesupport/lib/active_support/message_encryptor.rb#L35 + What happens when Hound refreshes your GitHub repositories ----------------------------------------------------------