search

pion / .goassets

Asset files automatically deployed to Go package repositories
https://pion.ly/
MIT License
9 stars 10 forks source link

Codecov security breach #63

Closed daenney closed 3 years ago

daenney commented 3 years ago

Unfortunately, we're impacted. I don't believe we use any secrets in our CI for this repo thankfully. But I can't verify that to be 100% sure since I don't have admin access to this repo. I also don't know if other repos in the pion org may be affected and require secrets rolling.

Paging @Sean-Der

Sean-Der commented 3 years ago

Thanks for the heads up!

We have a secret for deploying GitHub Pages (for pion.ly) will roll that now!

I also made you an owner, no reason you should be blocked on me :)

daenney commented 3 years ago

I also made you an owner, no reason you should be blocked on me :)

The powerrrrrrr, I can feel it :smiling_imp:.

daenney commented 3 years ago

Did we end up doing this? I see an org wide secret for pion bot but that one predates the codecov breach notification.

at-wat commented 3 years ago

It would be better to review the workflows in the organization to prepare for future attacks.

Model of GitHub Actions is designed to make it possible to control the access scope of the secrets. For example,

env:
  GLOBAL_SECRET: ${{ secrets.SECRET0 }}
  # This value is visible from all jobs/steps in this workflow.
  # (this style shouldn't be used)

jobs:
  job1:
    steps:
      - name: step1
        run: command
        env:
          STEP1_SECRET: ${{ secrets.SECRET1 }}
      - run: download unreliable-command
      - name: step2
        run: |
          commands
          unreliable-command  # This command can see STEP2_SECRET, but not STEP1_SECRET.
          # So, if unreliable-command doesn't require the secret,
          # it should be moved to the separate step like step3.
        env:
          STEP2_SECRET: ${{ secrets.SECRET2 }}
      - name: step3
        run: unreliable-command  # This command can's see any secrets.
      - name: step4
        run: command
        env:
          STEP4_SECRET: ${{ secrets.SECRET4 }}
          # unreliable-command executed in step3 may overwrote other commands.
          # STEP4_SECRET is visible from attackers if unreliable-command is malicious.
  job2:
    steps:
      - ...
        # Job execution space is isolated.
        # So, commands in job2 can't see any secrets in job1. (excepting the global env)

(I haven't checked there are potentially dangerous workflows in pion org.)

Sean-Der commented 3 years ago

@daenney Sorry for responding late! I did fix that, I updated the existing value.

@at-wat That would be awesome. You know more about github actions, but any improvement send my way and happy to approve :)