Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] Codecov security notice

Hello, All.

We use codecov to submit our code coverage results [1] [2] [3]
We use CODECOV_TOKEN

[1] https://github.com/eclipse-che/che-operator/blob/master/.github/workflows/codecov.yml
[2] https://github.com/che-incubator/chectl/blob/main/.github/workflows/codecov.yml
[3] https://github.com/eclipse-che/che-machine-exec/blob/master/.github/workflows/codecov.yml

On Fri, Apr 16, 2021 at 12:51 AM Angel Misevski <amisevsk@xxxxxxxxxx> wrote:
Looking at the plugin-broker, the job was that called codecov was
running in an old CircleCI config from ages ago. Looking at that
CircleCI config [1], it holds a deploy key [2] for the che-plugin-broker
repo with fingerprint

c7:41:4f:50:7d:2e:18:2f:64:f9:c2:92:fb:b8:de:a0

That is the extent of how far I can look, as I don't have admin access
to plugin-broker, and can't even see [2].

Florent (or someone with admin): can you cycle the deploy key for that repo?

[1] -
https://app.circleci.com/settings/project/github/eclipse/che-plugin-broker/ssh
[2] - https://github.com/eclipse/che-plugin-broker/settings/keys

- Angel

On 2021-04-15 11:26 a.m., Florent Benoit wrote:
> hi,
>
> for che-theia, I already checked and it's within an action
> https://github.com/eclipse-che/che-theia/blob/9460c2ca4d7ddac1c7809158e7e49106b74084d1/.github/workflows/pr.yml
> <https://github.com/eclipse-che/che-theia/blob/9460c2ca4d7ddac1c7809158e7e49106b74084d1/.github/workflows/pr.yml>
>
> but no secrets are given to the job or this action or within ENV variables
>
> On Thu, Apr 15, 2021 at 5:09 PM Angel Misevski <amisevsk@xxxxxxxxxx
> <mailto:amisevsk@xxxxxxxxxx>> wrote:
>
>     Hi all,
>
>     Today at 9:05am (UTC-4) I received an email from Codecov linking to a
>     recent security issue: https://about.codecov.io/security-update/
>     <https://about.codecov.io/security-update/> .
>
>     The gist of the issue is that an unauthorized person got access to the
>     bash uploader script used for submitting PR changes, and was able to
>     export information from CI environments, potentially grabbing secrets.
>
>     To quote from the article
>
>       > The altered version of the Bash Uploader script could
>     potentially affect:
>       >
>       >    Any credentials, tokens, or keys that our customers were passing
>     through their CI runner that would be accessible when the Bash Uploader
>     script was executed.
>       >    Any services, datastores, and application code that could be
>     accessed with these credentials, tokens, or keys.
>       >    The git remote information (URL of the origin repository) of
>     repositories using the Bash Uploaders to upload coverage to Codecov
>     in CI.
>
>     I received this email (I assume) due to che-plugin-broker's use of the
>     bash uploader. I know that che-theia and the dashboard also depend on
>     codecov for coverage reports. I'm still not sure how much this impacts
>     our projects/what secrets were available to be exported, but this is
>     definitely something we should look into.
>
>     Cheers,
>
>     Angel
>



--

ANATOLII BAZKO

PRINCIPAL DEVELOPER

Red Hat Ukraine

Back to the top