Does github trello powerup expose sensitive info to Trello?

Harshvardhan Malpani April 10, 2019

We are using trello boards to list the tasks and their status. While working with an agency who has lent us developer, I proposed them to link branches to our trello tasks using Github powerup for trello.

 

To which they replied: "After such linking, Trello can see all our repositories from all projects."

I researched for a good answer or an explanation to provide them. I found that this powerup generates a request via access token which provides data in json to be used for later selection and attachment of branch or commit or issue or pull request

That response has the following data:

archive_url: "https://api.github.com/repos/xxxx/yyyy/{archive_format}{/ref}"
archived: false
assignees_url: "https://api.github.com/repos/xxxx/yyyy/assignees{/user}"
blobs_url: "https://api.github.com/repos/xxxx/yyyy/git/blobs{/sha}"
branches_url: "https://api.github.com/repos/xxxx/yyyy/branches{/branch}"
clone_url: "https://github.com/xxxx/yyyy.git"
collaborators_url: "https://api.github.com/repos/xxxx/yyyy/collaborators{/collaborator}"
comments_url: "https://api.github.com/repos/xxxx/yyyy/comments{/number}"
commits_url: "https://api.github.com/repos/xxxx/yyyy/commits{/sha}"
compare_url: "https://api.github.com/repos/xxxx/yyyy/compare/{base}...{head}"
contents_url: "https://api.github.com/repos/xxxx/yyyy/contents/{+path}"
contributors_url: "https://api.github.com/repos/xxxx/yyyy/contributors"
created_at: "2018-09-06T13:32:41Z"
default_branch: "master"

and lot more.

 

So what is a better explanation to provide them? Trello does store access_token of course^ and that allows trello to access all my git data anytime. 

I would appreciate a legal explanation for this, or are they right? Does this powerup really leaks everything?

 

^1 : I verified it by opening trello in incognito, the power up was still there and had access

2 answers

0 votes
Harshvardhan Malpani April 10, 2019

As @Iain Dooley mentioned about the access. Isn't it possible to restructure the plugin with a cookie only mode in which trello stores the access code in browser cookie with obfuscation and trello would not even have to store the access_code. Trello would only have to save obfuscation key which will be used to unlock the already present access_code in user's browser.

0 votes
Iain Dooley
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 10, 2019

@Harshvardhan Malpani I would assume that if you grant Trello access to your git account, it can see everything your git account has access to.

Harshvardhan Malpani April 10, 2019

Is there any clause which prevents Trello against misuse of the access_token obtained from github trello authorization?

Iain Dooley
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 10, 2019

@Harshvardhan Malpani the power up is provided by github, using the trello API.

So you're putting your GitHub token into a github power up. 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events