Closed Chad-R-S closed 2 years ago
Internal ticket created : CY-4457
Hi @Chad-R-S ,
Thank you for the contribution and for warning us about this possible vulnerability!
We are internally investigating about possible ways we have to mitigate this issue so that we come with the best approach.
Fixed at #50 and it is available starting at v1.1.0
It downloads the get.sh script from the coverage-reporter and then checksums the downloaded binary.
There is no checksum for the get.sh itself, as we are trusting on the legitimacy of the coverage-reporter, otherwise, and attacker could publish trusted binaries and SHA as they were legit.
This way, we are making sure that we are protected against similar attacks described on the case of Codecov, as we check the checksums downloaded from artifacts.codacy.com
I was investigating the report types that this action supports when I noticed the following issue:
This action seems to download a script (
https://coverage.codacy.com/get.sh
) during the action to download / execute the reporter. However, it downloads and uses the script without doing a checksum of it. What if someone was able to modify the script on the site through some other vulnerability, and insert something malicious? Or am I misunderstanding something about how this action works?Relevant line of code:
https://github.com/codacy/codacy-coverage-reporter-action/blob/fe337c3c0357ff8c3962ea3e26a4832cbcb7265c/action.yml#L51
Seems like it might safer to commit the script to this repository and use that instead of downloading it.
This is the same sort of thing that led to the CodeCov security incident: https://github.com/codecov/codecov-action/issues/281