Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Kyle Altendorf 

On 2021-04-16 14:26, Adi Roiban wrote:


I don't know how we can prevent these types of security issues.
We are a public project with limited resources and are always exposed 
when
we are pulling dependencies from codecov or pypy that we don't fully 
control.


I guess that what we can do is stop using the codecov.io bash uploaded 
and

switch back to python uploader.


What will this do now?  Do you consider the bash uploader a greater 
future risk than any other thing that codecov, or anyone else, creates?



Any other ideas ?


In a single CI system (rather than using two) we could do the project 
coverage absolute limit check and patch coverage check (diff-cover) 
in-build.  Maybe there's even a place we could publish the coverage html 
output?


That said, I've never been much for avoiding services and the proposal 
for not using a codecov package involves adding another package so...


And like you said Adi, it seems pretty implausible to audit all code we 
use in CI.  So, I don't know how there's a solution.  But, I'm well 
aware that I'm not a security person.


Cheers,
-kyle

___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Adi Roiban 
On Fri, 16 Apr 2021 at 20:15, Glyph  wrote:

>
> On Apr 16, 2021, at 11:26 AM, Adi Roiban  wrote:
>
>
> For twisted/twisted and I think that other repos the main secret available
> for GitHub Action is the PYPY upload token.
>
>
> Just to make sure here - you mean PyPI, right?
>
> Yes. Sorry. PyPi.org.

> I guess that what we can do is stop using the codecov.io bash uploaded and
> switch back to python uploader.
>
> Any other ideas ?
>
>
> I think we are actually OK given the constraints on the env vars, but just
> to be safe, we should invalidate / rotate the PyPI upload token. Any admins
> have a few spare minutes to do that?  (And like… check to make sure nobody
> uploaded anything surprising on our project page ;-)).
>
>

I don't have access to Twisted or ldaptor or other projects.

I only have access to pydoctor, and I saw that someone from NL (most
probably Marteen :) has already rotated the token.


https://pypi.org/project/Twisted/#history looks ok. Last release  l21.2.0
- Feb 28, 2021

Cheers
-- 
Adi Roiban
___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Glyph 

> On Apr 16, 2021, at 11:26 AM, Adi Roiban  > wrote:
> 
> For twisted/twisted and I think that other repos the main secret available 
> for GitHub Action is the PYPY upload token.

Just to make sure here - you mean PyPI, right?

> I guess that what we can do is stop using the codecov.io  
> bash uploaded and
> switch back to python uploader.
> 
> Any other ideas ?

I think we are actually OK given the constraints on the env vars, but just to 
be safe, we should invalidate / rotate the PyPI upload token. Any admins have a 
few spare minutes to do that?  (And like… check to make sure nobody uploaded 
anything surprising on our project page ;-)).

-g




___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

[Twisted-Python] Codecov.io security incident

2021-04-16 Thread Adi Roiban 
Hi.

This is a follow up for https://about.codecov.io/security-update/ that was
raised by Maarten

The security breach is from January 31, 2021,

Here you can see the list of Twisted org projects using Codecov.io

https://codecov.io/gh/twisted

The projects that might be affected are:

twisted Latest commit 3 hours ago - using Bash
pydoctor Latest commit a day ago - using Python
towncrier Latest commit a day ago - using Python
axiom Latest commit 2 days ago - using bash via codecov/codecov-action@v1
klein Latest commit 7 days ago - using bash via codecov/codecov-action@v1
incremental Latest commit 25 days ago - using codecov in Travis
ldaptor 2 months ago - using Python

So the only targets  are: twisted , axiom and klein

For twisted/twisted we start using the bash uploaded 19 days ago as part of
https://github.com/twisted/twisted/pull/1574/
Before that we were using the python uploader.

---

Here is my understanding of what the codecov bash uploader can do:

* Read all the env variables present at the time the bash codecov.io script
is executed. The env might contain secrets
* Use the GitHub Token that is automatically generated for each GitHub
Action job

The GitHub token is valid while the action is executed and is kind of a
super token:
Actions: write
Checks: write
Contents: write
Deployments: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write

---

For twisted/twisted and I think that other repos the main secret available
for GitHub Action is the PYPY upload token.
This is not used as a general env variable, but is only available to the
specific step in which twine is used to upload the files.

-

The GitHub Org audit page can be used to check org administratie changes

https://github.com/organizations/twisted/settings/audit-log

I took a quick look and didn't notice anything suspicious.

-

I don't know how we can prevent these types of security issues.
We are a public project with limited resources and are always exposed when
we are pulling dependencies from codecov or pypy that we don't fully
control.

I guess that what we can do is stop using the codecov.io bash uploaded and
switch back to python uploader.

Any other ideas ?

Cheers
-- 
Adi Roiban
___
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python