Encrypted values can be stolen and reused

[0x4007]

I know I've highlighted this issue in the past, but I'm not sure where.

As I'm going around these conferences and trying to fundraisers/find partners we realize that to quickly set up partners, we basically just send them the ubiquibot config file.

So the encrypted private key was leaked unintentionally.

As part of the decryption process, we should also include the organization ID or repo ID as part of the salt.

That way, if I copy my ubiquibot config in my organization and I leak it, and somebody else tries to use my same exact EVM private key encrypted the bot, it will fail to decrypt correctly because their repository ID is different for example.

[0x4007]

@rndquu @Keyrxng would you guys mind urgently looking into this?

[rndquu]

I suppose this is the same issue ubiquibot/permit-generation#20 (although with a different solution).

The solution could be to expect evmPrivateEncrypted to be in 2 formats:

# 1
WALLET_PRIVATE_KEY:GITHUB_ORGANIZATION_ID:GITHUB_REPOSITORY_ID

# 2
WALLET_PRIVATE_KEY:GITHUB_ORGANIZATION_ID

So on decrypting we could check that:

1. If org and repo name exists then check that current issue's context matches the values from a decrypted evmPrivateEncrypted
2. If only org exists then check that current issue's org context matches the value from evmPrivateEncrypted

This way we can use WALLET_PRIVATE_KEY:GITHUB_ORGANIZATION_ID format in repositories as well.

[rndquu]

I'll open a fix PR in a couple of hours

[ubiquity-os[bot]]

! No price label has been set. Skipping permit generation.

[whilefoo]

something weird is going on. the link to permit is https://github.com/ubiquity/ubiquibot-kernel/issues/undefined

[0x4007]

@rndquu

Or it could possibly be the pull that's opened on the permit generation repo maybe? Not sure if that at all affects permit generation in our system.

[ubiquity-os[bot]]

[ 404.37 WXDAI ]

@rndquu

Contributions Overview

View	Contribution	Count	Reward
Issue	Task	1	400
Issue	Comment	2	4.37
Review	Comment	7	0

Conversation Incentives

Comment	Formatting	Relevance	Reward
I suppose this is the same issue [ubiquibot/permit-generation#20…	5.27 content: p: symbols: \b\w+\b: count: 75 multiplier: 0.1 score: 1 a: symbols: \b\w+\b: count: 5 multiplier: 0.1 score: 1 pre: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 code: symbols: \b\w+\b: count: 11 multiplier: 0.1 score: 1 ol: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 li: symbols: \b\w+\b: count: 2 multiplier: 0.1 score: 1 multiplier: 1	0.8	4.216
I'll open a fix PR in a couple of hours	0.77 content: p: symbols: \b\w+\b: count: 11 multiplier: 0.1 score: 1 multiplier: 1	0.2	0.154
Resolves https://github.com/ubiquity/ubiquibot-kernel/issues/104 …	0 content: p: symbols: \b\w+\b: count: 323 multiplier: 0 score: 1 a: symbols: \b\w+\b: count: 4 multiplier: 0 score: 1 code: symbols: \b\w+\b: count: 98 multiplier: 0 score: 1 ul: symbols: \b\w+\b: count: 6 multiplier: 0 score: 1 li: symbols: \b\w+\b: count: 17 multiplier: 0 score: 1 h3: symbols: \b\w+\b: count: 24 multiplier: 0 score: 1 multiplier: 0	0.9	-
If config is not defined then `conversation-rewards` plu…	0 content: p: symbols: \b\w+\b: count: 123 multiplier: 0.2 score: 1 code: symbols: \b\w+\b: count: 43 multiplier: 0.2 score: 1 pre: symbols: \b\w+\b: count: 3 multiplier: 0.2 score: 0 ol: symbols: \b\w+\b: count: 1 multiplier: 0.2 score: 0 li: symbols: \b\w+\b: count: 2 multiplier: 0.2 score: 1 multiplier: 0	1	-
log<sub>2</sub>(1000000000) We're excluding it beca…	0 content: p: symbols: \b\w+\b: count: 55 multiplier: 0.2 score: 1 ul: symbols: \b\w+\b: count: 1 multiplier: 0.2 score: 1 li: symbols: \b\w+\b: count: 2 multiplier: 0.2 score: 1 multiplier: 0	1	-
The intermediary `PRIVATE_KEY:GITHUB_ORGANIZATION_ID` fo…	0 content: p: symbols: \b\w+\b: count: 43 multiplier: 0.2 score: 1 code: symbols: \b\w+\b: count: 8 multiplier: 0.2 score: 1 strong: symbols: \b\w+\b: count: 5 multiplier: 0.2 score: 0 ol: symbols: \b\w+\b: count: 1 multiplier: 0.2 score: 0 li: symbols: \b\w+\b: count: 2 multiplier: 0.2 score: 1 multiplier: 0	1	-
Fixed https://github.com/ubiquibot/conversation-rewards/pull/111…	0 content: p: symbols: \b\w+\b: count: 11 multiplier: 0.2 score: 1 multiplier: 0	1	-
Removed the plain `PRIVATE_KEY` format https://github.co…	0 content: p: symbols: \b\w+\b: count: 14 multiplier: 0.2 score: 1 code: symbols: \b\w+\b: count: 1 multiplier: 0.2 score: 1 multiplier: 0	1	-
1. Open https://keygen.ubq.fi/ 2. Paste `x25519_PRIVATE_KEY…	0 content: ol: symbols: \b\w+\b: count: 2 multiplier: 0.2 score: 0 li: symbols: \b\w+\b: count: 9 multiplier: 0.2 score: 1 p: symbols: \b\w+\b: count: 98 multiplier: 0.2 score: 1 code: symbols: \b\w+\b: count: 12 multiplier: 0.2 score: 1 ul: symbols: \b\w+\b: count: 2 multiplier: 0.2 score: 1 multiplier: 0	1	-

[ 37.284 WXDAI ]

@0x4007

Contributions Overview

View	Contribution	Count	Reward
Issue	Specification	1	17.43
Issue	Comment	2	1.684
Review	Comment	10	18.17

Conversation Incentives

Comment	Formatting	Relevance	Reward
I know I've highlighted this issue in the past, but I'm not sure…	17.43 content: p: symbols: \b\w+\b: count: 119 multiplier: 0.1 score: 1 multiplier: 3	1	17.43
@rndquu @Keyrxng would you guys mind urgently looking into this?	1.42 content: p: symbols: \b\w+\b: count: 10 multiplier: 0.2 score: 1 multiplier: 1	0.2	0.284
@rndquu Or it could possibly be the pull that's opened on the p…	3.5 content: p: symbols: \b\w+\b: count: 29 multiplier: 0.2 score: 1 multiplier: 1	0.4	1.4
I decided that we should rely on the repository ID first, and us…	3.92 content: p: symbols: \b\w+\b: count: 75 multiplier: 0.1 score: 1 multiplier: 1	1	3.92
True This I don't understand for reasons: 1. You're excluding t…	3.21 content: p: symbols: \b\w+\b: count: 8 multiplier: 0.1 score: 1 ol: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 li: symbols: \b\w+\b: count: 43 multiplier: 0.1 score: 1 code: symbols: \b\w+\b: count: 2 multiplier: 0.1 score: 1 multiplier: 1	1	3.21
The last part I realize doesn't matter because the attacker woul…	2.35 content: p: symbols: \b\w+\b: count: 41 multiplier: 0.1 score: 1 multiplier: 1	1	2.35
Why do you support this intermediary format? Why not just suppor…	1.06 content: p: symbols: \b\w+\b: count: 16 multiplier: 0.1 score: 1 multiplier: 1	1	1.06
```suggestion 5. Click "Encrypt" to get an encrypted…	0.83 content: pre: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 code: symbols: \b\w+\b: count: 12 multiplier: 0.1 score: 1 multiplier: 1	1	0.83
```suggestion 6. Set the encrypted text (from step 5…	0.88 content: pre: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 code: symbols: \b\w+\b: count: 13 multiplier: 0.1 score: 1 multiplier: 1	1	0.88
```suggestion 7. Set `X25519_PRIVATE_KEY` en…	1.11 content: pre: symbols: \b\w+\b: count: 1 multiplier: 0.1 score: 0 code: symbols: \b\w+\b: count: 17 multiplier: 0.1 score: 1 multiplier: 1	1	1.11
I appreciate this attention to detail but it would only take a f…	1.75 content: p: symbols: \b\w+\b: count: 29 multiplier: 0.1 score: 1 multiplier: 1	1	1.75
I'll need to update the keys when I'm back on computer. Are ther…	2.05 content: p: symbols: \b\w+\b: count: 35 multiplier: 0.1 score: 1 multiplier: 1	1	2.05
Looks like [it works](https://github.com/ubiquibot/production/is…	1.01 content: p: symbols: \b\w+\b: count: 12 multiplier: 0.1 score: 1 a: symbols: \b\w+\b: count: 2 multiplier: 0.1 score: 1 multiplier: 1	1	1.01

[ 0.624 WXDAI ]

@whilefoo

Contributions Overview

View	Contribution	Count	Reward
Issue	Comment	1	0.064
Review	Comment	1	0.56

Conversation Incentives

Comment	Formatting	Relevance	Reward
something weird is going on. the link to permit is `https://…	0.32 content: p: symbols: \b\w+\b: count: 10 multiplier: 0.1 score: 1 code: symbols: \b\w+\b: count: 8 multiplier: 0.1 score: 1 multiplier: 0.25	0.2	0.064
so this plugin won't work for repos without organization? I know…	0.56 content: p: symbols: \b\w+\b: count: 32 multiplier: 0.1 score: 1 code: symbols: \b\w+\b: count: 4 multiplier: 0.1 score: 1 multiplier: 0.25	1	0.56