Codecov bash uploader security issue

How minimizing our attack surface with CircleCI Contexts helped us pass the Codecov bash uploader security issue unharmed


    What is Codecov

    For those who don’t know Codecov, it is an online platform for hosted code coverage reports and statistics founded in 2014. According to their website, over 29,000 organizations and more than 1 million developers use their tools. The list includes Google, Atlassian, The Washington Post, RBC, and Procter & Gamble Co.

    Its main tool, the Bash Uploader, is used to send code coverage reports to the platform. Those reports help developers measure how well their source code is covered by tests. This is the main reason why it is widely used among developers and organizations.

    What about the breach?

    On April 15th, 2021, Codecov reported in a press release that someone had gained unauthorized access to its script and modified it without its permission.

    “Our investigation has determined that beginning Jan. 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration environments. This information was then sent to a third-party server outside of Codecov’s infrastructure” the company said.

    According to Codecov, the hacker gained access to:

    • Any credential, token, or key that customers passed through their continuous integration runner that would be accessible when the Bash Uploader script was executed;
    • Any service, datastore, and application code that could be accessed with these credentials, tokens, or keys;
    • The git remote information (URL of the origin repository) of repositories using the Bash Uploader to upload coverage to Codecov in their continuous integration.

    For those potential threats, Codecov is strongly encouraging developers to immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI process.

    Why are we safe from that at CloudSkiff?

    We use CircleCI to continuously build, test and deploy our open-source drift detection CLI, driftctl. Like most projects, we need to manipulate sensitive environment variables which could mean that this event could impact us.

    But, CircleCI provides a simple and secure way to store and share those sensitive environment variables across projects and jobs (or pipelines, or steps in other CI), it is called a context. As an Organization in CircleCI, you can, in your settings, create and manage contexts.

    1.jpeg

    You can use the context key in the workflows section of a project config.yml file to give any jobs access to the environment variables associated with the context.

    version: 2.1
    
    # Jobs declaration for build, test and deploy not displayed
    
    workflows:
      build-test-deploy:
        jobs:
          - build
          - test
          - deploy:
              context: restricted-context
              requires:
                - build
                - test

    In the example above, only the deploy job has access to the environment variables created in the restricted-context context. On the other hand, the build and test jobs don’t have any access to the sensitive variables in their execution.

    That’s basically what we do as of today in our CircleCI config.yml file. Every time we need to call our test job to execute the Codecov Bash Uploader script (e.g. every push, pull request, and release workflows), since we don’t attach any context to it, the hacker has no access to our secret variables.

    We try to keep our jobs as small as possible to reduce the attack surface by separating concerns, and CircleCI context is well suited to assist in this good practice.

    We could have avoided that threat

    One way we could have avoided that is the same way Codecov started investigating the attack. The company reported on the morning of April 1, 2021, that one customer was using the shasum that is available on its Bash Uploader to confirm the integrity of the uploader fetched from https://codecov.io/bash.

    Indeed, as stated on its documentation website, “it can be validated for correctness by calculating the shasum on download and comparing to the result we store in the GitHub repository”.

    An example could be:

    $ curl -s -o codecov https://codecov.io/bash \
    && VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2) \
    && shasum -a 512 -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA512SUM)

    This simple script could be run on each test job before running the Bash Uploader. If we were doing it that way we could have seen sooner the hack, and we could have reported it sooner to Codecov.

    Our final test job looks like this:

    test:
    docker:
      - image: golang:1.16
    steps:
      - checkout
      - run: make install-tools
      - run: make test
      - run:
          name: Check Codecov
          command: |
            curl -s -o codecov https://codecov.io/bash \
              && VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2) \
              && shasum -a 512 -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA512SUM)
      - run:
          name: Codecov upload
          command: |
            chmod +x codecov
            ./codecov

    Reference:


    Get similar stories in your inbox weekly, for free



    Share this story with your friends
    driftctl
    driftctl

    Infrastructure as code is awesome, but there are so many moving parts: codebase, *.tfstate , actual cloud resources. Things tend to drift. driftctl is a free and open-source CLI that tracks, analyzes, prioritizes, and warns of infrastructure drift

    Latest stories


    DevOps: Report on Devil's Practices by DORA

    The report is drafted from a report release of the annual research and survey of …

    Amazon Elasticsearch Gets a New Version With Name Deprecated

    Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

    McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

    The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

    Amazon MSK Connect Launched to Better Apache Kafka UX

    Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

    Cloud: Zone Redundant Storage Released on General Availability

    The report is drafted from a press release of the Microsoft Azure team on the …

    Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

    The report is drafted from a sweeping survey of dark web analysis and various X-Force …