←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0.244s | source
Show context
nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]
No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #
declan_roberts ◴[30 Mar 25 22:21 UTC] No.43528290[source]
I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.
replies(2): >>43528378 #>>43528414 #
setr ◴[30 Mar 25 22:36 UTC] No.43528414[source]
Does any RBAC system actually tell you the missing permissions required to access the object in question? It’s like they’re designed to create this behavior
replies(4): >>43528495 #>>43528507 #>>43529353 #>>43534107 #
Normal_gaussian ◴[30 Mar 25 22:47 UTC] No.43528507[source]
Yes. Most auth systems do to the developer - GCP & AWS IAM give particularly detailed errors; nearly every feature/permission system I have implemented did. However, it wouldn't be unusual for the full error to be wrapped or swallowed by some lazy error handling. Its a bit of a PITA but well worth it to translate to a safe and informative user facing error.

as a nit; RBAC is applied to an object based permissions system rather than being one. Simply, RBAC is a simplification of permission management in any underlying auth system.

replies(3): >>43528721 #>>43529190 #>>43531266 #
1. raverbashing ◴[31 Mar 25 05:04 UTC] No.43531266[source]
But obviously then the security people will raise ruckus about any attempt of telling you what is wrong

(Which ok, for an external facing system is ok)

I can bet the huge prevalence of "system says no, and nothing tells you why" helps a lot with creating vulnerable systems.

System need an "let X person do Action" instead of having people waddle through 10 options like SystemAdminActionAllow that don't mean anything to an end user