Re: [che-dev] Codecov security notice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [che-dev] Codecov security notice

From: Angel Misevski <amisevsk@xxxxxxxxxx>
Date: Thu, 15 Apr 2021 17:51:22 -0400
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev/>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1

Looking at the plugin-broker, the job was that called codecov wasrunning in an old CircleCI config from ages ago. Looking at thatCircleCI config [1], it holds a deploy key [2] for the che-plugin-brokerrepo with fingerprint


c7:41:4f:50:7d:2e:18:2f:64:f9:c2:92:fb:b8:de:a0

That is the extent of how far I can look, as I don't have admin accessto plugin-broker, and can't even see [2].


Florent (or someone with admin): can you cycle the deploy key for that repo?

[1] -https://app.circleci.com/settings/project/github/eclipse/che-plugin-broker/ssh

[2] - https://github.com/eclipse/che-plugin-broker/settings/keys

- Angel

On 2021-04-15 11:26 a.m., Florent Benoit wrote:

hi,

for che-theia, I already checked and it's within an action

https://github.com/eclipse-che/che-theia/blob/9460c2ca4d7ddac1c7809158e7e49106b74084d1/.github/workflows/pr.yml<https://github.com/eclipse-che/che-theia/blob/9460c2ca4d7ddac1c7809158e7e49106b74084d1/.github/workflows/pr.yml>


but no secrets are given to the job or this action or within ENV variables

On Thu, Apr 15, 2021 at 5:09 PM Angel Misevski <amisevsk@xxxxxxxxxx<mailto:amisevsk@xxxxxxxxxx>> wrote:


    Hi all,

    Today at 9:05am (UTC-4) I received an email from Codecov linking to a
    recent security issue: https://about.codecov.io/security-update/
    <https://about.codecov.io/security-update/> .

    The gist of the issue is that an unauthorized person got access to the
    bash uploader script used for submitting PR changes, and was able to
    export information from CI environments, potentially grabbing secrets.

    To quote from the article

      > The altered version of the Bash Uploader script could
    potentially affect:
      >
      >    Any credentials, tokens, or keys that our customers were passing
    through their CI runner that would be accessible when the Bash Uploader
    script was executed.
      >    Any services, datastores, and application code that could be
    accessed with these credentials, tokens, or keys.
      >    The git remote information (URL of the origin repository) of
    repositories using the Bash Uploaders to upload coverage to Codecov
    in CI.

    I received this email (I assume) due to che-plugin-broker's use of the
    bash uploader. I know that che-theia and the dashboard also depend on
    codecov for coverage reports. I'm still not sure how much this impacts
    our projects/what secrets were available to be exported, but this is
    definitely something we should look into.

    Cheers,

    Angel

Follow-Ups:
- Re: [che-dev] Codecov security notice
  - From: Anatolii Bazko

References:
- [che-dev] Codecov security notice
  - From: Angel Misevski
- Re: [che-dev] Codecov security notice
  - From: Florent Benoit

Prev by Date: Re: [che-dev] Codecov security notice
Next by Date: Re: [che-dev] Codecov security notice
Previous by thread: Re: [che-dev] Codecov security notice
Next by thread: Re: [che-dev] Codecov security notice
Index(es):
- Date
- Thread

Breadcrumbs