potential security risk with codecov ?

gofrs / uuid

A UUID package for Go

MIT License

1.57k stars 110 forks source link

potential security risk with codecov ? #91

Closed MaerF0x0 closed 3 years ago

MaerF0x0 commented 3 years ago

https://about.codecov.io/security-update/

i see it in https://github.com/gofrs/uuid/blob/master/.travis.yml#L19-L20

cameracker commented 3 years ago

Thanks for reporting!

I'm not yet clear on whether any tokens we had were compromised or anything, but (unless I'm misreading), our build is already using the most up to date version of their upload script that they recommend.

If this appears anywhere in your locally stored Bash Uploader, you should immediately replace the bash files with the most recent version from https://codecov.io/bash.

https://github.com/gofrs/uuid/blob/master/.travis.yml#L19-L20

after_success:
  - bash <(curl -s https://codecov.io/bash)

MaerF0x0 commented 3 years ago

@CameronAckermanSEL I agree with what you're seeing, makes sense to me 😄 .

Probably a good idea for you/maintainers to run through the Recommend Actions for Affected Users aspect as any builds between Jan 31 and April 1 could have leaked any env vars which could be keys to things.

theckman commented 3 years ago

Thank you for the report on this, and apologies for the delay in getting some spare cycles to check all the configs.

I've just finished taking a look through the Travis CI documentation, and it doesn't seem like they offer any sensitive environment variables by default, and we've nothing set manually in our configuration. As a result I think we're in the clear here. 👍