It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Does github trello powerup expose sensitive info to Trello?

We are using trello boards to list the tasks and their status. While working with an agency who has lent us developer, I proposed them to link branches to our trello tasks using Github powerup for trello.

 

To which they replied: "After such linking, Trello can see all our repositories from all projects."

I researched for a good answer or an explanation to provide them. I found that this powerup generates a request via access token which provides data in json to be used for later selection and attachment of branch or commit or issue or pull request

That response has the following data:

archive_url: "https://api.github.com/repos/xxxx/yyyy/{archive_format}{/ref}"
archived: false
assignees_url: "https://api.github.com/repos/xxxx/yyyy/assignees{/user}"
blobs_url: "https://api.github.com/repos/xxxx/yyyy/git/blobs{/sha}"
branches_url: "https://api.github.com/repos/xxxx/yyyy/branches{/branch}"
clone_url: "https://github.com/xxxx/yyyy.git"
collaborators_url: "https://api.github.com/repos/xxxx/yyyy/collaborators{/collaborator}"
comments_url: "https://api.github.com/repos/xxxx/yyyy/comments{/number}"
commits_url: "https://api.github.com/repos/xxxx/yyyy/commits{/sha}"
compare_url: "https://api.github.com/repos/xxxx/yyyy/compare/{base}...{head}"
contents_url: "https://api.github.com/repos/xxxx/yyyy/contents/{+path}"
contributors_url: "https://api.github.com/repos/xxxx/yyyy/contributors"
created_at: "2018-09-06T13:32:41Z"
default_branch: "master"

and lot more.

 

So what is a better explanation to provide them? Trello does store access_token of course^ and that allows trello to access all my git data anytime. 

I would appreciate a legal explanation for this, or are they right? Does this powerup really leaks everything?

 

^1 : I verified it by opening trello in incognito, the power up was still there and had access

2 answers

0 votes
Iain Dooley Community Leader Apr 10, 2019

@Harshvardhan Malpani I would assume that if you grant Trello access to your git account, it can see everything your git account has access to.

Is there any clause which prevents Trello against misuse of the access_token obtained from github trello authorization?

Iain Dooley Community Leader Apr 10, 2019

@Harshvardhan Malpani the power up is provided by github, using the trello API.

So you're putting your GitHub token into a github power up. 

As @Iain Dooley mentioned about the access. Isn't it possible to restructure the plugin with a cookie only mode in which trello stores the access code in browser cookie with obfuscation and trello would not even have to store the access_code. Trello would only have to save obfuscation key which will be used to unlock the already present access_code in user's browser.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Trello

Develop a new Habit during Lockdown

If you had to thrive a new habit during a lockdown, what would it be? Trello

1,627 views 15 6
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you