New submission from STINNER Victor <vstin...@python.org>:
Currently, GitHub Action and Travis CI run a codecov bash downloaded from https://codecov.io/bash without validating it. The script was recently compromised: https://about.codecov.io/security-update/ We should validate the shell script integrity by checking its checksum. Example from the documentation: ------------- curl -s https://codecov.io/bash > codecov; VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2); for i in 1 256 512 do shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") || shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") done ------------- See: https://docs.codecov.io/docs/about-the-codecov-bash-uploader ---------- components: Tests messages: 392362 nosy: vstinner priority: normal severity: normal status: open title: Code coverage on the CI: validate codecov shell script checksum versions: Python 3.10 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43982> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com