Sensitive values in the logs

[ehmicky]

Does the /api/1/netlify/crawl response include any secure/sensitive values?

The response might be printed by one of the following statements:

algoliasearch-netlify/plugin/src/index.ts

Line 81 in 601d32e

console.warn(response);

algoliasearch-netlify/plugin/src/index.ts

Line 91 in 601d32e

JSON.stringify(json)

algoliasearch-netlify/plugin/src/index.ts

Line 99 in 601d32e

console.error('Could not reach algolia', error);

Netlify build logs are sometimes public, in which case there would be a risk for those sensitive values to be made public as well. However, if this endpoint does not respond with any sensitive values, then this is not a concern. I am raising this up just to be 100% sure :)

[bodinsamuel]

Netlify build logs are sometimes public

Ah we did not knew that.
We don't output anything more than ids, which are protected by ACL.
But the response error log could leak a token indeed.

[Jerska]

Worst case scenario, it will leak the API key. While not ideal, all this gives access to is the ability to trigger a crawl, and I don't see many scenarii where this would be abused maliciously.

[IanVS]

This seems fairly important, has it been addressed?