[Twisted-Python] Codecov.io security incident

Adi Roiban adi at roiban.ro
Fri Apr 16 12:26:01 MDT 2021 

Hi.

This is a follow up for https://about.codecov.io/security-update/ that was
raised by Maarten

The security breach is from January 31, 2021,

Here you can see the list of Twisted org projects using Codecov.io

https://codecov.io/gh/twisted

The projects that might be affected are:

twisted Latest commit 3 hours ago - using Bash
pydoctor Latest commit a day ago - using Python
towncrier Latest commit a day ago - using Python
axiom Latest commit 2 days ago - using bash via codecov/codecov-action at v1
klein Latest commit 7 days ago - using bash via codecov/codecov-action at v1
incremental Latest commit 25 days ago - using codecov in Travis
ldaptor 2 months ago - using Python

So the only targets  are: twisted , axiom and klein

For twisted/twisted we start using the bash uploaded 19 days ago as part of
https://github.com/twisted/twisted/pull/1574/
Before that we were using the python uploader.

---------------

Here is my understanding of what the codecov bash uploader can do:

* Read all the env variables present at the time the bash codecov.io script
is executed. The env might contain secrets
* Use the GitHub Token that is automatically generated for each GitHub
Action job

The GitHub token is valid while the action is executed and is kind of a
super token:
Actions: write
Checks: write
Contents: write
Deployments: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write

-----------

For twisted/twisted and I think that other repos the main secret available
for GitHub Action is the PYPY upload token.
This is not used as a general env variable, but is only available to the
specific step in which twine is used to upload the files.

-------------

The GitHub Org audit page can be used to check org administratie changes

https://github.com/organizations/twisted/settings/audit-log

I took a quick look and didn't notice anything suspicious.

---------

I don't know how we can prevent these types of security issues.
We are a public project with limited resources and are always exposed when
we are pulling dependencies from codecov or pypy that we don't fully
control.

I guess that what we can do is stop using the codecov.io bash uploaded and
switch back to python uploader.

Any other ideas ?

Cheers
-- 
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20210416/291b50da/attachment.htm>

More information about the Twisted-Python mailing list