Bugcrowd Submissions

[Maroyafaied]

Also, as a reminder, this link from the Bugcrowd team that was provided to us early on in our setting up the program is about 10 minutes of a walkthrough and is helpful if anyone needs a quick review for using the platform. Bugcrowd Platform Walkthrough - YouTube

It looks like this FAQ page also provides some additional detail on working with the tasks. Since DHS CISA and Bugcrowd do initial review and validation, we shouldn’t have to follow all of the workflow steps, but once we have items in the To Review, we are then responsible for working those items. Viewing Tasks | Bugcrowd Docs

Also, since you and I both can manage the team in Bugcrowd you can change this, but I went ahead and set you as the PoC for the auto-assigned Triage submissions. You should get notifications for all items to be addressed now, and we can change this or you can use this as an action to go into the Bugcrowd tool and re-assign the item for Triage to another member of your team

Finally, we have both of our teams email distribution lists in the Auto-escalate for critical issues, so I think this is one reason we have not seen any traffic yet, since there are no Critical issues yet.

So I believe that it just requires us as a group to pop into Bugcrowd once or twice a week to identify issues and even use the tool to assign issues. It does look like we have a few invites that have not been activated yet. I cc’d John and Tom for a reminder since they have not activated their accounts on my team ye

If it helps to set up a meeting to walk through and develop a procedure between our teams I am happy to help with that. Let me know what you think as you start to poke around and look at the tool.

Much appreciated!

[Maroyafaied]

Sensitive data In dev: https://github.com/ONRR/nrrd/blob/dev/database/.creds Branch: https://github.com/ONRR/nrrd/blob/f8561c7314c3ebbd8dcf4183d7d2426840eee089/database/.creds

VUE_APP_CIRCLE_TOKEN In dev : https://github.com/ONRR/onrr.gov-site/blob/dev/frontend/.env.development

This file only exists in that branch, it's no longer in dev. "Database credentials, S3 bucket details, server configuration details, admin credentials are exposed on the ONRR public GitHub repository"

https://github.com/ONRR/onrr.gov-site/blob/edbfe3ca6127a4b1a340ef78c3c2273a3478613b/cms/.env

[Maroyafaied]

Sensitive data In dev: https://github.com/ONRR/nrrd/blob/dev/database/.creds Branch: https://github.com/ONRR/nrrd/blob/f8561c7314c3ebbd8dcf4183d7d2426840eee089/database/.creds

VUE_APP_CIRCLE_TOKEN In dev : https://github.com/ONRR/onrr.gov-site/blob/dev/frontend/.env.development

This file only exists in that branch, it's no longer in dev. "Database credentials, S3 bucket details, server configuration details, admin credentials are exposed on the ONRR public GitHub repository"

https://github.com/ONRR/onrr.gov-site/blob/edbfe3ca6127a4b1a340ef78c3c2273a3478613b/cms/.env

[Maroyafaied]

@mojobnichols the links with sensitive data are above.

[mojobnichols]

The VUE_APP_CIRCLE_TOKEN is used to trigger a circleci event. I don't think it is a particular threat. I will have to review their documentation.

For the remaining files to remove them permanently it is recommended to have all pulls closed or merged.
From:

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

[mojobnichols]

bfg --delete-files .creds onrr.gov-site

Using repo : C:\Users\nicholmo\Develop\onrr.gov-site.git

Found 361 objects to protect Found 77 commit-pointing refs : HEAD, refs/heads/dev, refs/remotes/origin/1035-Redirects, ...

Protected commits

These are your protected commits, and so their contents will NOT be altered:

• commit bd429578 (protected by 'HEAD')

Cleaning

Found 1375 commits Cleaning commits: 100% (1375/1375) Cleaning commits completed in 4,576 ms.

Updating 69 Refs

    Ref                                                        Before     After
    ------------------------------------------------------------------------------
    refs/heads/dev                                           | bd429578 | ecf7414e
    refs/remotes/origin/1035-Redirects                       | 6ab62116 | ce14d9a9
    refs/remotes/origin/1087-MobileMenu                      | 7997f073 | 69d470f1
    refs/remotes/origin/1100-NYMEX-frontend                  | b67d0faf | 2607411a
    refs/remotes/origin/1120-HorizontalRule                  | 15361ec2 | 75cbf5ea
    refs/remotes/origin/1125-CmsDeployment                   | 68653385 | cdce6faf
    refs/remotes/origin/1158-CollectionFilters               | 0b63ff99 | b0f5db7c
    refs/remotes/origin/1169-RevampMenu                      | ab107a60 | 28eba3c2
    refs/remotes/origin/1195-NewLogo                         | 703aae86 | a02d57f7
    refs/remotes/origin/1219-IngestNYMEXSimplifieda          | a018cf1f | fe7c0d76
    refs/remotes/origin/1220-ExpansionBlocks                 | 8e42e55f | 30af3112
    refs/remotes/origin/1233-LayoutBlocks                    | 0dbcbc8d | 80e4d446
    refs/remotes/origin/1237-CardColumns                     | 8d6188c9 | 985334a5
    refs/remotes/origin/1258-ImagesCutOff                    | 40534894 | d75d2ffc
    refs/remotes/origin/1281-UpdateDirectus                  | 4e1bd0de | 4a80c6cc
    ...

Updating references: 100% (69/69) ...Ref update completed in 336 ms.

Commit Tree-Dirt History

    Earliest                                              Latest
    |                                                          |
    ........DDDDDDDmDmDmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

    D = dirty commits (file tree fixed)
    m = modified commits (commit message or parents changed)
    . = clean commits (no changes to file tree)

                            Before     After
    -------------------------------------------
    First modified commit | 09420ece | bad84160
    Last dirty commit     | ae6ef425 | 10c8f59d

Deleted files

    Filename   Git id
    ----------------------------
    .creds   | f6e2bbe9 (356 B )

In total, 1155 object ids were changed. Full details are logged here:

    C:\Users\nicholmo\Develop\onrr.gov-site.bfg-report\2022-12-07\13-26-28

[mojobnichols]

bfg --delete-files .env onrr.gov-site

Using repo : C:\Users\nicholmo\Develop\onrr.gov-site.git

Found 361 objects to protect Found 77 commit-pointing refs : HEAD, refs/heads/dev, refs/remotes/origin/1035-Redirects, ...

Protected commits

These are your protected commits, and so their contents will NOT be altered:

• commit ecf7414e (protected by 'HEAD')

Cleaning

Found 1375 commits Cleaning commits: 100% (1375/1375) Cleaning commits completed in 5,444 ms.

Updating 69 Refs

    Ref                                                        Before     After
    ------------------------------------------------------------------------------
    refs/heads/dev                                           | ecf7414e | 5193e445
    refs/remotes/origin/1035-Redirects                       | ce14d9a9 | 258d6452
    refs/remotes/origin/1087-MobileMenu                      | 69d470f1 | 2ed5903d
    refs/remotes/origin/1100-NYMEX-frontend                  | 2607411a | 243f129b
    refs/remotes/origin/1120-HorizontalRule                  | 75cbf5ea | 8c969215
    refs/remotes/origin/1125-CmsDeployment                   | cdce6faf | e8f69f21
    refs/remotes/origin/1158-CollectionFilters               | b0f5db7c | b4fd44bb
    refs/remotes/origin/1169-RevampMenu                      | 28eba3c2 | d13fb82c
    refs/remotes/origin/1195-NewLogo                         | a02d57f7 | 4b419f7b
    refs/remotes/origin/1219-IngestNYMEXSimplifieda          | fe7c0d76 | 2bab53dd
    refs/remotes/origin/1220-ExpansionBlocks                 | 30af3112 | 9d56c407
    refs/remotes/origin/1233-LayoutBlocks                    | 80e4d446 | 0c3979ef
    refs/remotes/origin/1237-CardColumns                     | 985334a5 | 4a63a04d
    refs/remotes/origin/1258-ImagesCutOff                    | d75d2ffc | 7aaee7fc
    refs/remotes/origin/1281-UpdateDirectus                  | 4a80c6cc | 90dbb4a6
    ...

Updating references: 100% (69/69) ...Ref update completed in 328 ms.

Commit Tree-Dirt History

    Earliest                                              Latest
    |                                                          |
    Dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

    D = dirty commits (file tree fixed)
    m = modified commits (commit message or parents changed)
    . = clean commits (no changes to file tree)

                            Before     After
    -------------------------------------------
    First modified commit | edbfe3ca | a1e73f8c
    Last dirty commit     | 9f0c54aa | 142b4e5f

Deleted files

    Filename   Git id
    ----------------------------
    .env     | 69bf00ac (4.5 KB)

In total, 1201 object ids were changed. Full details are logged here:

    C:\Users\nicholmo\Develop\onrr.gov-site.bfg-report\2022-12-07\13-31-04

BFG run is complete! When ready, run: git reflog expire --expire=now --all && git gc --prune=now --aggressive

[mojobnichols]

I moved VUE_APP_CIRCLE_TOKEN to README.env without secret

[Maroyafaied]

@mojobnichols I still see the VUE_APP_CIRCLE_TOKEN in .env.development https://github.com/ONRR/onrr.gov-site/blob/dev/frontend/.env.development

[Maroyafaied]

These two files are still visible in the branches they were created in. I will verify that these passwords have been updated and can not be used to access databases and I will update the Bugcrowd submissions with that update since it doesn't seem we can delete the history of these branches. https://github.com/ONRR/nrrd/blob/f8561c7314c3ebbd8dcf4183d7d2426840eee089/database/.creds https://github.com/ONRR/onrr.gov-site/blob/edbfe3ca6127a4b1a340ef78c3c2273a3478613b/cms/.env

[Maroyafaied]

Submitted a ticket to Github

https://support.github.com/ticket/personal/0/1922200

[Maroyafaied]

I replied to Github support and waiting for them.

[Maroyafaied]

Moving this to next sprint since there's no update from GitHub support.