Exploitable scenario in Appveyer?

evilkukka's Avatar

evilkukka

16 Oct, 2018 12:56 PM

I'm trying to set up the AppVeyor script to auto-generate docs via XDocs and then publishing them to a specific branch of the repo( gh-pages) This requires me to add in an encrypted variable, a personal access token from github with repo access.

The project is open-source and is open to pull requests. How can we ensure that no PR gets run through app veyor if the appveyor.yml file was edited? From our understanding, they can edit the yml script, hijack the personal access token and compromise all available repos. And the worst part would be that the PR would trigger APpVeyor even if we did not accept the PR.

It's important that we still allow PRs to run AppVeyor(for tests and whatnot) but we can't allow them to modify the AppVeyor yml file AND trigger the build.

Any suggestions?

  1. Support Staff 1 Posted by Ilya Finkelshte... on 16 Oct, 2018 02:06 PM

    Ilya Finkelshteyn's Avatar

    Hello,

    For secrets, please use secure variables.

    Publishing is not enabled for Pull requests for apparent security reasons you just mentioned. So you should be safe.

    Please let us know if this makes sense.

  2. 2 Posted by evilkukka on 16 Oct, 2018 02:14 PM

    evilkukka's Avatar

    Hi Ilya, thanks for the reply.

    We are using secure variables already. Here is our current appveyer.yml file:
    https://github.com/Kukks/NBitcoin/blob/master/appveyor.yml

    Wouldn't anyone be able to:
    * Fork * Modify appveyer.yml and make use of the github token and push bad code to repository * Open Pull request * Appveyer runs on pull request and it runs the malicious yml file?

    We basically do this in the on_success step:

    on_success: 
    - ps: |
            if (-not (Test-Path env:APPVEYOR_PULL_REQUEST_NUMBER)) { 
                Write-Host "Generating Docs "
                cinst docfx
                git config --global credential.helper store
                Add-Content "$env:USERPROFILE.git-credentials" "https://$($env:github_access_token):x-oauth-basic@github.com`n"
                git config --global user.email %github_email%
                git config --global user.name %github_user%
                sh ./docs/release.sh 
            } else {
                Write-Host "Identified build as PR [$env:APPVEYOR_PULL_REQUEST_NUMBER], skipping docs gen "
            }
    
  3. Support Staff 3 Posted by Ilya Finkelshte... on 16 Oct, 2018 04:22 PM

    Ilya Finkelshteyn's Avatar

    Secure variables are not available in Pull Requests for the same security reasons. You can enable them (in UI only) for PRs from the same repository, but we do not even expose the possibility to enable them for PRs from the fork.

  4. 4 Posted by evilkukka on 16 Oct, 2018 04:46 PM

    evilkukka's Avatar

    That's great to hear, just saw it in the documentation.

    Thanks!

  5. Ilya Finkelshteyn closed this discussion on 17 Oct, 2018 05:59 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac