Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

push declined due to repository rule violations:泄露Tencent Cloud Secret ID? #357

Open
6 tasks done
Volta-lemon opened this issue Apr 26, 2024 · 5 comments
Open
6 tasks done

push declined due to repository rule violations:泄露Tencent Cloud Secret ID? #357

Volta-lemon opened this issue Apr 26, 2024 · 5 comments

Comments

@Volta-lemon
Copy link

Check List

  • I have already read README.
  • I have already searched existing issues and they are not help to me.
  • I examined error or warning messages and it's difficult to solve.
  • I am using the latest version of this repository.
  • I am using the latest version of Hexo.
  • My Node.js is matched the required version.

Describe the bug

第一次尝试hexo,启动项目没什么问题,但我将我的md文件复制过来(里面的图片用的腾讯云的图床),想使用hexo d直接上传部署,但是报错,如下图,网上没有什么相关信息,我在对应的文件里搜索页没有看到Tencent Cloud Secret ID相关的字段,只有Tencent与Secret ID一些说明的字段,但我不确定那些文件里是否包含我没注意到的关键信息,但是被github的安全措施给挡住了,希望可以得到好的解决,目前不敢忽略这个安全问题

g1

g2

Expected behavior

希望可以解决这个问题,看看是github的bug还是真的有腾讯云图床秘钥被泄露

How to reproduce

  1. 先将初始化的hexo项目提交到github,成功并且可以通过用户名.github.io方式访问
  2. 将自己之前的带有腾讯云图床存储的图片md文件复制到hexo项目中
  3. 执行hexo d
  4. 报错,可能泄露图床信息

Screenshots

No response

Environment information

Window系统

$ Node -v
v16.17.0



$ hexo -v
INFO  Validating config
hexo: 6.3.0
hexo-cli: 4.3.0
os: win32 10.0.19044
node: 16.17.0
v8: 9.4.146.26-node.22
uv: 1.43.0
zlib: 1.2.11
brotli: 1.0.9
ares: 1.18.1
modules: 93
nghttp2: 1.47.0
napi: 8
llhttp: 6.0.7
openssl: 1.1.1q+quic
cldr: 41.0
icu: 71.1
tz: 2022a
unicode: 14.0
ngtcp2: 0.1.0-DEV
nghttp3: 0.1.0-DEV

Additional context

No response
@Volta-lemon
Copy link
Author

补充一下,图片是用picgo+obsidian插件自动完成的

@stevenjoezhang
Copy link
Member

stevenjoezhang commented Apr 26, 2024
edited

看报错是GitHub在你的twikoo里面发现存在token,所以拒绝了。你可以人工检查一下看看是不是误报,如果这个文件的内容和公开的版本是一样的,那应该没问题

@Volta-lemon
Copy link
Author

看报错是GitHub在你的twikoo里面发现存在token,所以拒绝了。你可以人工检查一下看看是不是误报,如果这个文件的内容和公开的版本是一样的,那应该没问题

因为我是先push成功过,然后加了带图床图片的文件发现这个问题了,然后push不成功了,但是明文字段里面不直接包含Tencent Cloud Secret ID,我不知道是不是后台读取了对应数据,那个公开版本在哪看呀?

@stevenjoezhang
Copy link
Member

这个libs/twikoo/twikoo.all.min.js应该是你用的主题或者Hexo插件生成的?它的原版应该是这个
https://cdn.jsdelivr.net/npm/twikoo@latest/dist/twikoo.all.min.js

@Volta-lemon
Copy link
Author

稍微对照了以下关键字,感觉误判的可能性更高?我删除后好像不影响运行,但是执行hexo g它还是会出现,github提醒我可能泄露Tencent Cloud Secret ID?但是Tencent Cloud Secret Key好像才是重要的,我或许应该认为这是一次误报?我或许应该在hexo的issue里面反馈一下这个问题?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevenjoezhang @Volta-lemon