←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 3 comments | 30 Mar 25 19:54 UTC | HN request time: 0.243s | source
Show context
junto ◴[30 Mar 25 21:13 UTC] No.43527708[source]
They weren’t kidding on the response time. Very impressive from GitHub.
replies(1): >>43527835 #
belter ◴[30 Mar 25 21:28 UTC] No.43527835[source]
Not very impressive to have an exposed public token with full write credentials...
replies(2): >>43527843 #>>43528012 #
1a527dd5 ◴[30 Mar 25 21:29 UTC] No.43527843[source]
Trying my best not to break the no snark rule [1], but I'm sure your code is 100% bullet proof against all current and future-yet-invented-attacks.

[1] _and failing_.

replies(2): >>43528097 #>>43528244 #
1. atoav ◴[30 Mar 25 22:17 UTC] No.43528244[source]
Nobody is immune against mistakes, but a certain class of mistakes¹ should never ever happen to anyone who should know better. And that in my book is anybody who has their code used by more people than themselves. I am not saying devs aren't allowed to make stupid mistakes, but if we let civil engineers have their bridges collapse with an "shit happens" -attitude trust in civil engineering would be questionable at best. So yeah shit happens to us devs, but we should be shamed if it was preventable by simply knowing the basics.

So my opinion is anybody who writes code that is used by others should feel a certain danger-tingle whenever a secret or real user data is put literally anywhere.

To all beginners that just means that when handling secrets, instead of pressing on, you should pause and make an exhaustive list of who would have read/write access to the secret under which conditions and whether that is intended. And with things that are world-readable like a public repo, this is especially crucial.

Another one may or may not be your shells history, the context of your environment variables, whatever you copy-paste into the browser-searchbar/application/LLM/chat/comment section of your choice etc.

If you absolutely have to store secrets/private user data in files within a repo it is a good idea to add the following to your .gitignore:

  *.private
  *.private.*
And then every such file has to have ".private." within the filename (e.g. credentials.private.json), this not only marks it to yourself, it also prevents you to mix up critical with mundane configuration.

But better is to spend a day to think about where secrets/user data really should be stored and how to manage them properly.

¹: a non-exhaustive list of other such mistakes: mistaking XOR for encryption, storing passwords in plaintext, using hardcoded credentials, relying on obscurity for security, sending data unencrypted over HTTP, not hashing passwords, using weak hash functions like MD5 or SHA-1, no input validation to stiff thst goes into your database, trusting user input blindly, buffer overflows due to unchecked input, lack of access control, no user authentication, using default admin credentials, running all code as administrator/root without dropping priviledges, relying on client-side validation for security, using self-rolled cryptographic algorithms, mixing authentication and authorization logic, no session expiration or timeout, predictable session IDs, no patch management or updates, wide-open network shares, exposing internal services to the internet, trusting data from cookies or query strings without verification, etc

replies(2): >>43528506 #>>43528516 #
2. immibis ◴[30 Mar 25 22:48 UTC] No.43528516[source]
> no input validation to stiff thst goes into your database

I'd put "conflating input validation with escaping" on this list, and then the list fails the list because the list conflates input validation with escaping.

replies(1): >>43528564 #
3. atoav ◴[30 Mar 25 22:53 UTC] No.43528564[source]
Good point, as I mentioned, this is a non-exhaustive list. Input validation and related topics like encodings, escaping, etc could fill a list single-handedly.