Hi.
The security breach is from January 31, 2021,
Here you can see the list of Twisted org projects using Codecov.io
The projects that might be affected are:
twisted Latest commit 3 hours ago - using Bash
pydoctor Latest commit a day ago - using Python
towncrier Latest commit a day ago - using Python
axiom Latest commit 2 days ago - using bash via codecov/codecov-action@v1
klein Latest commit 7 days ago - using bash via codecov/codecov-action@v1
incremental Latest commit 25 days ago - using codecov in Travis
ldaptor 2 months ago - using Python
So the only targetsĀ are: twisted , axiom and klein
For twisted/twisted we start using the bash uploaded 19 days ago as part of
Before that we were using the python uploader.
---------------
Here is my understanding of what the codecov bash uploader can do:
* Read all the env variables present at the time the bash
codecov.io script is executed. The env might contain secrets
* Use the GitHub Token that is automatically generated for each GitHub Action job
The GitHub token is valid while the action is executed and is kind of a super token:
RepositoryProjects: write
-----------
For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token.
This is not used as a general env variable, but is only available to the specific step in which twine is used to upload the files.
-------------
The GitHub Org audit page can be used to check org administratie changes
I took a quick look and didn't notice anything suspicious.
---------
I don't know how we can prevent these types of security issues.
We are a public project with limited resources and are always exposed when
we are pulling dependencies from codecov or pypy that we don't fully control.
I guess that what we can do is stop using the
codecov.io bash uploaded and
switch back to python uploader.
Any other ideas ?
Cheers
--
Adi Roiban