Closed sroet closed 3 years ago
Yeah, we were vulnerable on this. I got the email from CodeCov yesterday and immediate revoked old PyPI/test.PyPI tokens, changed my PyPI/test.PyPI passwords (which probably wasn't necessary, but never hurts) and I've revoked the autorelease GitHub access token (still need to update with a new one here). Those are the only secrets in the repository.
I think the main risks for us could have been:
-S
) are cryptographically signed (either with my signature if I wrote it or with GitHub's signature for merges/other commits made through the web UI.) Plus, it's easy to verify from the network that there have been no direct commits to master; everything came from PRs and was therefore verified by GitHub (and all the verification badges are still green).I can't think of any other attacks that could have been generated from access to the repo and full access to PyPI projects (although please feel free to suggest anything else you can think of).
@dwhswenson
The github-action script of
codecov
was compromised to send the full CI env info to a third party. You might need to invalidate all CI secrets. (I don't know if you have any that are worht rotating, just makin sure you are aware of the issue)codecov reference mallicious added code line: