Created by: anshumanpattnaik

Hello,

I found GITHUB_API_TOKEN hard-coded publicly on GitHub repository and this token I have found from the below commit links.

https://github.com/PaddlePaddle/Paddle-Lite/blob/e97e0ce0cff193dd02de3fa6a2e5eb87d1a73b8d/tools/coverage/pull_request.py#L14

https://github.com/PaddlePaddle/Paddle-Lite/blob/e97e0ce0cff193dd02de3fa6a2e5eb87d1a73b8d/tools/coverage/gcda_clean.py#L13

POC

1. Please execute the curl command to confirm the API_TOKEN

curl -u PaddlePaddle:e51cb020919a6eef689257966e8fb6477981788a https://api.github.com/user

2. After executing the command you will observe you can able to login to the paddlepaddle account.

Security Impact GitHub API Token is always sensitive because by using this token an attacker can get access to the repository. So as a best practice never expose API token publicly on GitHub.

Thanks Anshuman Pattnaik