dwhswenson
commented
3 years ago Yeah, we were vulnerable on this. I got the email from CodeCov yesterday and immediate revoked old PyPI/test.PyPI tokens, changed my PyPI/test.PyPI passwords (which probably wasn't necessary, but never hurts) and I've revoked the autorelease GitHub access token (still need to update with a new one here). Those are the only secrets in the repository.
I think the main risks for us could have been:
- PyPI access allowing either fake releases or deletes of existing releases. This was easy to check by eye.
- Write access to the repo allowing injection of bad code. All of my commits (except one, which was a local merge where I forgot to add the
-S) are cryptographically signed (either with my signature if I wrote it or with GitHub's signature for merges/other commits made through the web UI.) Plus, it's easy to verify from the network that there have been no direct commits to master; everything came from PRs and was therefore verified by GitHub (and all the verification badges are still green).
I can't think of any other attacks that could have been generated from access to the repo and full access to PyPI projects (although please feel free to suggest anything else you can think of).
@dwhswenson
The github-action script of
codecovwas compromised to send the full CI env info to a third party. You might need to invalidate all CI secrets. (I don't know if you have any that are worht rotating, just makin sure you are aware of the issue)codecov reference mallicious added code line: