[Twisted-Python] Codecov.io security incident

Hi. This is a follow up for https://about.codecov.io/security-update/ that was raised by Maarten The security breach is from January 31, 2021, Here you can see the list of Twisted org projects using Codecov.io https://codecov.io/gh/twisted The projects that might be affected are: twisted Latest commit 3 hours ago - using Bash pydoctor Latest commit a day ago - using Python towncrier Latest commit a day ago - using Python axiom Latest commit 2 days ago - using bash via codecov/codecov-action@v1 klein Latest commit 7 days ago - using bash via codecov/codecov-action@v1 incremental Latest commit 25 days ago - using codecov in Travis ldaptor 2 months ago - using Python So the only targets are: twisted , axiom and klein For twisted/twisted we start using the bash uploaded 19 days ago as part of https://github.com/twisted/twisted/pull/1574/ Before that we were using the python uploader. --------------- Here is my understanding of what the codecov bash uploader can do: * Read all the env variables present at the time the bash codecov.io script is executed. The env might contain secrets * Use the GitHub Token that is automatically generated for each GitHub Action job The GitHub token is valid while the action is executed and is kind of a super token: Actions: write Checks: write Contents: write Deployments: write Issues: write Metadata: read Packages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write ----------- For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token. This is not used as a general env variable, but is only available to the specific step in which twine is used to upload the files. ------------- The GitHub Org audit page can be used to check org administratie changes https://github.com/organizations/twisted/settings/audit-log I took a quick look and didn't notice anything suspicious. --------- I don't know how we can prevent these types of security issues. We are a public project with limited resources and are always exposed when we are pulling dependencies from codecov or pypy that we don't fully control. I guess that what we can do is stop using the codecov.io bash uploaded and switch back to python uploader. Any other ideas ? Cheers -- Adi Roiban

On Apr 16, 2021, at 11:26 AM, Adi Roiban <adi@roiban.ro <mailto:adi@roiban.ro>> wrote:
For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token.
Just to make sure here - you mean PyPI, right?
I guess that what we can do is stop using the codecov.io <http://codecov.io/> bash uploaded and switch back to python uploader.
Any other ideas ?
I think we are actually OK given the constraints on the env vars, but just to be safe, we should invalidate / rotate the PyPI upload token. Any admins have a few spare minutes to do that? (And like… check to make sure nobody uploaded anything surprising on our project page ;-)). -g

On Fri, 16 Apr 2021 at 20:15, Glyph <glyph@twistedmatrix.com> wrote:
On Apr 16, 2021, at 11:26 AM, Adi Roiban <adi@roiban.ro> wrote:
For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token.
Just to make sure here - you mean PyPI, right?
Yes. Sorry. PyPi.org.
I guess that what we can do is stop using the codecov.io bash uploaded and switch back to python uploader.
Any other ideas ?
I think we are actually OK given the constraints on the env vars, but just to be safe, we should invalidate / rotate the PyPI upload token. Any admins have a few spare minutes to do that? (And like… check to make sure nobody uploaded anything surprising on our project page ;-)).
I don't have access to Twisted or ldaptor or other projects. I only have access to pydoctor, and I saw that someone from NL (most probably Marteen :) has already rotated the token. https://pypi.org/project/Twisted/#history looks ok. Last release l21.2.0 - Feb 28, 2021 Cheers -- Adi Roiban

On 2021-04-16 14:26, Adi Roiban wrote:
I don't know how we can prevent these types of security issues. We are a public project with limited resources and are always exposed when we are pulling dependencies from codecov or pypy that we don't fully control.
I guess that what we can do is stop using the codecov.io bash uploaded and switch back to python uploader.
What will this do now? Do you consider the bash uploader a greater future risk than any other thing that codecov, or anyone else, creates?
Any other ideas ?
In a single CI system (rather than using two) we could do the project coverage absolute limit check and patch coverage check (diff-cover) in-build. Maybe there's even a place we could publish the coverage html output? That said, I've never been much for avoiding services and the proposal for not using a codecov package involves adding another package so... And like you said Adi, it seems pretty implausible to audit all code we use in CI. So, I don't know how there's a solution. But, I'm well aware that I'm not a security person. Cheers, -kyle
participants (3)
-
Adi Roiban
-
Glyph
-
Kyle Altendorf