Skip to content

Instantly share code, notes, and snippets.

@kornysietsma
Last active October 12, 2021 11:15
Show Gist options
  • Save kornysietsma/7d7b66a76a4783467e67556d65161c67 to your computer and use it in GitHub Desktop.
Save kornysietsma/7d7b66a76a4783467e67556d65161c67 to your computer and use it in GitHub Desktop.
curl while hiding secrets for github api
#!/bin/bash -eu
# uses 1pass to get token from 1password vault
export GITHUB_API_TOKEN=`1pass "github api token"`
function ghapi() {
# escape double quotes as we need to insert the passed heredoc into a json string
# optionally we could build this with jq?
local json=$(cat | sed 's/"/\\"/g')
curl -sS -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST https://api.github.com/graphql -d @- <<EOT
{
"query": "$json"
}
EOT
}
login=$(ghapi <<EOF
query {
viewer {
login }}
EOF
)
jq "." <<<$login
# leaks the token on the commandline, process list and possibly history
curl -H "Authorization: token $GITHUB_API_TOKEN" ...
# How about:
curl -K- <<< "header 'Authorization: token $GITHUB_API_TOKEN'"
# or even trickier:
curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"")
# (the `<(` executes the command, stores the output in a temporary file-ish thing, and returns a file handle)
# a version with a payload:
curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST -d " \
{ \
\"query\": \"query { viewer { login }}\" \
} \
" https://api.github.com/graphql
# or using a heredoc for the json:
curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST https://api.github.com/graphql -d @- << EOF
{
"query": "query { viewer { login }}"
}
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment