Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] Codecov security notice
hi,

for che-theia, I already checked and it's within an action

but no secrets are given to the job or this action or within ENV variables

On Thu, Apr 15, 2021 at 5:09 PM Angel Misevski <amisevsk@xxxxxxxxxx> wrote:
Hi all,

Today at 9:05am (UTC-4) I received an email from Codecov linking to a
recent security issue: https://about.codecov.io/security-update/ .

The gist of the issue is that an unauthorized person got access to the
bash uploader script used for submitting PR changes, and was able to
export information from CI environments, potentially grabbing secrets.

To quote from the article

 > The altered version of the Bash Uploader script could potentially affect:
 >
 >    Any credentials, tokens, or keys that our customers were passing
through their CI runner that would be accessible when the Bash Uploader
script was executed.
 >    Any services, datastores, and application code that could be
accessed with these credentials, tokens, or keys.
 >    The git remote information (URL of the origin repository) of
repositories using the Bash Uploaders to upload coverage to Codecov in CI.

I received this email (I assume) due to che-plugin-broker's use of the
bash uploader. I know that che-theia and the dashboard also depend on
codecov for coverage reports. I'm still not sure how much this impacts
our projects/what secrets were available to be exported, but this is
definitely something we should look into.

Cheers,

Angel

Back to the top