Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)

297 points cyberbender | 3 comments | 30 Mar 25 19:54 UTC | HN request time: 0.692s | source

Show context

nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]▶

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #

declan_roberts ◴[30 Mar 25 22:21 UTC] No.43528290[source]▶

>>43528008 #

I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.

replies(2): >>43528378 #>>43528414 #

setr ◴[30 Mar 25 22:36 UTC] No.43528414[source]▶

>>43528290 #

Does any RBAC system actually tell you the missing permissions required to access the object in question? It’s like they’re designed to create this behavior

replies(4): >>43528495 #>>43528507 #>>43529353 #>>43534107 #

Normal_gaussian ◴[30 Mar 25 22:47 UTC] No.43528507[source]▶

>>43528414 #

Yes. Most auth systems do to the developer - GCP & AWS IAM give particularly detailed errors; nearly every feature/permission system I have implemented did. However, it wouldn't be unusual for the full error to be wrapped or swallowed by some lazy error handling. Its a bit of a PITA but well worth it to translate to a safe and informative user facing error.

as a nit; RBAC is applied to an object based permissions system rather than being one. Simply, RBAC is a simplification of permission management in any underlying auth system.

replies(3): >>43528721 #>>43529190 #>>43531266 #

winwang ◴[31 Mar 25 00:12 UTC] No.43529190[source]▶

>>43528507 #

Slightly disagree at least for GCP. It will error with a detailed permission, but you're not just going to add that -- you're going to add a role (standard, unless you have custom roles), which you technically have to map back to the permission you need. But also, those (standard) roles have many permissions in one, so you likely overprovision (though presumably by just a bit).

...If only we could do something like: dry run and surface all the required permissions, then grant them in one fell (granular) sweep.

replies(2): >>43530688 #>>43531312 #

1. da_chicken ◴[31 Mar 25 03:42 UTC] No.43530688[source]▶

>>43529190 #

> ...If only we could do something like: dry run and surface all the required permissions, then grant them in one fell (granular) sweep.

The problem with that is that it can be difficult to know what you need, and it may be impossible to simulate in any practical sense. Like, sure, I can stand up a pair of test systems and fabricate every scenario I can possibly imagine, but my employer does want me to do other things this month. And what happens when one of the systems involves a third party?

Really, the need is to be able to provision access after the relationship is established. It's weird that you need a completely new secret to change access. Imagine if this were Linux and in order to access a directory you had to provision a new user to do it? How narrow do you really think user security access would be in practical terms then?

replies(1): >>43537100 #

2. winwang ◴[31 Mar 25 16:51 UTC] No.43537100[source]▶

>>43530688 (TP) #

> the need is to be able to provision access after the relationship is established

Could you go into more detail? At a base level interpretation, this is how it works already (you need a principal to provision access for...), but you presumably mean something more interesting?

replies(1): >>43542377 #

3. da_chicken ◴[01 Apr 25 03:00 UTC] No.43542377[source]▶

>>43537100 #

With token-based access, you typically assign the role when the token is created. The access level the token has is typically locked at that point. If you're generating an API access token, you might specify the token is read-only. If you later decide that read/write access is needed, you need to generate a new token with the new access level and replace the token id and value in the client system.

It's not difficult, but it's a much bigger pain in the ass than just changing access or changing role on a user.

↑