Codecov bash uploader breach remediation

tacaswell · April 26, 2021, 12:30am

Codecov breach

codecov.io is a CI service that we use for tracking code coverage of our test suite. It was recently disclosed that there was breach of codecov.io “bash uploader” and three of our repositories were affected. The attacker modified the “bash uploader” script to capture all environment variables and exfiltrated them to a third-party server. Because this job is run on against CI jobs on our default branch this means any secrets that we had exposed to CI via encrypted envs should be considered compromised.

TLDR

The day this was made public (2020-04-15) I did an audit of the repos hosted under the Matplotlib org on github, we did have exposure however all of the affected secrets have been remediated.

details

I have redacted the identities of who’s credentials were compromised out of an abundance of caution. If you have a reason you think you need to know this information email me and we will discuss it.

Exposure

We had 5 repositories with exposure to this breach :

explicit use of bash script

cycler: .travis.yml
matplotlib: azure-pipelines.yml
matplotlib: .travis.yml (older versions)

github workflow exposure

mpl-probscale: .github/workflows/check-test-coverage.yml
matplotlib: .github/workflows/tests.yml

Additionally we installed the codecov python packaing on circle, but
do not use it (at one point we had the goal of running building the examples under coverage and add that to our overall coverage).

Remediation

cycler

There is no remediation needed as we did not have any secrets available to travis.

mpl-probscale

There was a maintainers pypi username and password as repo secrets. The maintainer was contacted and their password changed.

matplotlib

GH actions

There was a SSH key in the repo secrets which was a deploy key used to push commits to macPython/matplotlib-wheels on tag. This key was removed on both sides and the matplotlib-wheels repo was archived and we have moved the wheel building machinery to GH actions. The workflow that used this secret was remvoed and the secret was not replaced.

travis

Before we fully moved to GH action we had 3 secrets encoded for travis. One secret was a GH token and two secrets were related to AWS. The owners of these credentials have been contacted, all have been revoked, and it was confirmed that there was no unexpected activity.

Azure

We did not expose any secrets to Azure so no action was needed.

CircleCI

Although we did not run the affected code on CircleCI, we do have the private side of a deploy key on circle to allow us to push the dev-docs back to matplotlib/devdocs for the default branch. Out of an abundance of caution this key was replaced.

tacaswell · May 21, 2021, 5:54pm

As a follow up from codecov about matplotlib/matplotlib

We have reason to believe that this repo may have been downloaded by the threat actor. We recommend reaching out to your git provider for more information. We have reason to believe the following environment variables and/or sensitive keys were exposed. For security and privacy reasons, we’ve limited sensitive keys to the first seven characters to help you identify the key, without printing it in full.

ACTIONS_CACHE_URL
ACTIONS_RUNTIME_TOKEN
ACTIONS_RUNTIME_URL
AGENT_ACCEPTTEEEULA
AGENT_BUILDDIRECTORY
AGENT_DISABLELOGPLUGIN_TESTFILEPUBLISHERPLUGIN
AGENT_DISABLELOGPLUGIN_TESTRESULTLOGPLUGIN
AGENT_HOMEDIRECTORY
AGENT_ID
AGENT_JOBNAME
AGENT_JOBSTATUS
AGENT_MACHINENAME
AGENT_NAME
AGENT_OS
AGENT_OSARCHITECTURE
AGENT_READONLYVARIABLES
AGENT_RETAINDEFAULTENCODING
AGENT_ROOTDIRECTORY
AGENT_SERVEROMDIRECTORY
AGENT_TEMPDIRECTORY
AGENT_TOOLSDIRECTORY
AGENT_USEWORKSPACEID
AGENT_VERSION
AGENT_WORKFOLDER
ALLUSERSPROFILE
ANDROID_HOME
ANDROID_NDK_18R_PATH
ANDROID_NDK_HOME
ANDROID_NDK_LATEST_HOME
ANDROID_NDK_PATH
ANDROID_NDK_ROOT
ANDROID_SDK_ROOT
ANT_HOME
APPDATA
AZURE_EXTENSION_DIR
AZURE_HTTP_USER_AGENT
BASH_ENV
BOOST_ROOT_1_72_0
BOOTSTRAP_HASKELL_NONINTERACTIVE
BUILD_ARTIFACTSTAGINGDIRECTORY
BUILD_BINARIESDIRECTORY
BUILD_BUILDID
BUILD_BUILDNUMBER
BUILD_BUILDURI
BUILD_CONTAINERID
BUILD_DEFINITIONNAME
BUILD_DEFINITIONVERSION
BUILD_QUEUEDBY
BUILD_QUEUEDBYID
BUILD_REASON
BUILD_REPOSITORY_CLEAN
BUILD_REPOSITORY_GIT_SUBMODULECHECKOUT
BUILD_REPOSITORY_ID
BUILD_REPOSITORY_LOCALPATH
BUILD_REPOSITORY_NAME
BUILD_REPOSITORY_PROVIDER
BUILD_REPOSITORY_URI
BUILD_REQUESTEDFOR
BUILD_REQUESTEDFOREMAIL
BUILD_REQUESTEDFORID
BUILD_SOURCEBRANCH
BUILD_SOURCEBRANCHNAME
BUILD_SOURCESDIRECTORY
BUILD_SOURCEVERSION
BUILD_SOURCEVERSIONAUTHOR
BUILD_SOURCEVERSIONMESSAGE
BUILD_STAGINGDIRECTORY
CHROMEWEBDRIVER
CHROME_BIN
CI
COBERTURA_HOME
COMMONPROGRAMFILES
COMMON_TESTRESULTSDIRECTORY
COMPUTERNAME
COMSPEC
CONDA
ChocolateyInstall
ChromeWebDriver
CommonProgramFiles(x86)
CommonProgramW6432
DEBIAN_FRONTEND
DEPLOYMENT_BASEPATH
DOTNET_MULTILEVEL_LOOKUP
DOTNET_NOLOGO
DOTNET_ROOT
DOTNET_SKIP_FIRST_TIME_EXPERIENCE
DriverData
EDGEWEBDRIVER
ENDPOINT_URL_SYSTEMVSSCONNECTION
EXEPATH
EdgeWebDriver
GCM_INTERACTIVE
GECKOWEBDRIVER
GITHUB_ACTION
GITHUB_ACTIONS
GITHUB_ACTION_REF
GITHUB_ACTION_REPOSITORY
GITHUB_ACTOR
GITHUB_API_URL
GITHUB_BASE_REF
GITHUB_ENV
GITHUB_EVENT_NAME
GITHUB_EVENT_PATH
GITHUB_GRAPHQL_URL
GITHUB_HEAD_REF
GITHUB_JOB
GITHUB_PATH
GITHUB_REF
GITHUB_REPOSITORY
GITHUB_REPOSITORY_OWNER
GITHUB_RETENTION_DAYS
GITHUB_RUN_ID
GITHUB_RUN_NUMBER
GITHUB_SERVER_URL
GITHUB_SHA
GITHUB_WORKFLOW
GITHUB_WORKSPACE
GIT_TERMINAL_PROMPT
GOROOT
GOROOT_1_10_X64
GOROOT_1_11_X64
GOROOT_1_12_X64
GOROOT_1_13_X64
GOROOT_1_14_X64
GOROOT_1_15_X64
GOROOT_1_16_X64
GOROOT_1_9_X64
GRADLE_HOME
GeckoWebDriver
HOME
HOMEBREW_CASK_OPTS
HOMEBREW_CELLAR
HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS
HOMEBREW_NO_AUTO_UPDATE
HOMEBREW_PREFIX
HOMEBREW_REPOSITORY
HOMEDRIVE
HOMEPATH
IEWebDriver
INPUT_ARGUMENTS
INPUT_AWS_CURL_ARGS
INPUT_CODECOV_CURL_ARGS
INPUT_COMMIT_PARENT
INPUT_DIRECTORY
INPUT_ENV_VARS
INPUT_FAIL_CI_IF_ERROR
INPUT_FILE
INPUT_FILES
INPUT_FLAGS
INPUT_FUNCTIONALITIES
INPUT_GCOV_ARGS
INPUT_GCOV_EXECUTABLE
INPUT_GCOV_PATH_EXCLUDE
INPUT_GCOV_PATH_INCLUDE
INPUT_GCOV_PREFIX
INPUT_GCOV_ROOT_DIR
INPUT_MOVE_COVERAGE_TO_TRASH
INPUT_NAME
INPUT_OVERRIDE_BRANCH
INPUT_OVERRIDE_BUILD
INPUT_OVERRIDE_COMMIT
INPUT_OVERRIDE_PR
INPUT_OVERRIDE_TAG
INPUT_PATH_TO_WRITE_REPORT
INPUT_ROOT_DIR
INPUT_TOKEN
INPUT_VERBOSE
INPUT_WORKING-DIRECTORY
INPUT_XCODE_DERIVED_DATA
INPUT_XCODE_PACKAGE
ImageOS
ImageVersion
JAVA_HOME
JAVA_HOME_11_X64
JAVA_HOME_12_X64
JAVA_HOME_13_X64
JAVA_HOME_14_X64
JAVA_HOME_7_X64
JAVA_HOME_8_X64
LANG
LC_ALL
LC_CTYPE
LD_LIBRARY_PATH
LEIN_HOME
LEIN_JAR
LOCALAPPDATA
LOGNAME
LOGONSERVER
M2
M2_HOME
M2_REPO
MAVEN_OPTS
MSDEPLOY_HTTP_USER_AGENT
MSMPI_BIN
MSYSTEM
MonAgentClientLocation
NO_AT_BRIDGE
NUMBER_OF_PROCESSORS
NUNIT3_PATH
NUNIT_BASE_PATH
NVM_CD_FLAGS
NVM_DIR
OPENBLAS_NUM_THREADS
OS
PATH
PATHEXT
PERFLOG_LOCATION_SETTING
PGBIN
PGDATA
PGPASSWORD
PGROOT
PGUSER
PHPROOT
PIPELINE_WORKSPACE
PIPX_BIN_DIR
PIPX_HOME
PLINK_PROTOCOL
POWERSHELL_DISTRIBUTION_CHANNEL
POWERSHELL_UPDATECHECK
PROCESSOR_ARCHITECTURE
PROCESSOR_IDENTIFIER
PROCESSOR_LEVEL
PROCESSOR_REVISION
PROGRAMFILES
PSModulePath
PUBLIC
PWD
PYTHONFAULTHANDLER
PYTHON_VERSION
ProgramData
ProgramFiles(x86)
ProgramW6432
RCT_NO_LAUNCH_PACKAGER
RESOURCES_TRIGGERINGALIAS
RESOURCES_TRIGGERINGCATEGORY
RTOOLS40_HOME
RUNNER_OS
RUNNER_PERFLOG
RUNNER_TEMP
RUNNER_TOOLSDIRECTORY
RUNNER_TOOL_CACHE
RUNNER_TRACKING_ID
RUNNER_USER
RUNNER_WORKSPACE
SBT_HOME
SELENIUM_JAR_PATH
SHELL
SHLVL
SSH_AUTH_SOCK
SWIFT_PATH
SYSTEM
SYSTEMDRIVE
SYSTEMROOT
SYSTEM_ARTIFACTSDIRECTORY
SYSTEM_COLLECTIONID
SYSTEM_COLLECTIONURI
SYSTEM_CULTURE
SYSTEM_DEBUG
SYSTEM_DEFAULTWORKINGDIRECTORY
SYSTEM_DEFINITIONID
SYSTEM_DEFINITIONNAME
SYSTEM_ENABLEACCESSTOKEN
SYSTEM_HOSTTYPE
SYSTEM_ISSCHEDULED
SYSTEM_JOBATTEMPT
SYSTEM_JOBDISPLAYNAME
SYSTEM_JOBID
SYSTEM_JOBIDENTIFIER
SYSTEM_JOBNAME
SYSTEM_JOBPARALLELISMTAG
SYSTEM_JOBPOSITIONINPHASE
SYSTEM_JOBTIMEOUT
SYSTEM_PARALLELEXECUTIONTYPE
SYSTEM_PHASEATTEMPT
SYSTEM_PHASEDISPLAYNAME
SYSTEM_PHASEID
SYSTEM_PHASENAME
SYSTEM_PIPELINESTARTTIME
SYSTEM_PLANID
SYSTEM_PULLREQUEST_ISFORK
SYSTEM_PULLREQUEST_MERGEDAT
SYSTEM_PULLREQUEST_PULLREQUESTID
SYSTEM_PULLREQUEST_PULLREQUESTNUMBER
SYSTEM_PULLREQUEST_SOURCEBRANCH
SYSTEM_PULLREQUEST_SOURCECOMMITID
SYSTEM_PULLREQUEST_SOURCEREPOSITORYURI
SYSTEM_PULLREQUEST_TARGETBRANCH
SYSTEM_RESTRICTSECRETS
SYSTEM_SERVERTYPE
SYSTEM_STAGEATTEMPT
SYSTEM_STAGEDISPLAYNAME
SYSTEM_STAGEID
SYSTEM_STAGENAME
SYSTEM_TASKDEFINITIONSURI
SYSTEM_TASKDISPLAYNAME
SYSTEM_TASKINSTANCEID
SYSTEM_TASKINSTANCENAME
SYSTEM_TEAMFOUNDATIONCOLLECTIONURI
SYSTEM_TEAMFOUNDATIONSERVERURI
SYSTEM_TEAMPROJECT
SYSTEM_TEAMPROJECTID
SYSTEM_TIMELINEID
SYSTEM_TOTALJOBSINPHASE
SYSTEM_WORKFOLDER
TASK_DISPLAYNAME
TEMP
TERM
TF_BUILD
TMP
TMPDIR
USEPYTHONVERSION_PYTHONLOCATION
USER
USERDOMAIN
USERDOMAIN_ROAMINGPROFILE
USERNAME
USERPROFILE
VCPKG_INSTALLATION_ROOT
VMIMAGE
VS140COMNTOOLS
VSTS_AGENT_PERFLOG
VSTS_PROCESS_LOOKUP_ID
WINDIR
WIX
XCODE_10_DEVELOPER_DIR
XCODE_11_DEVELOPER_DIR
XCODE_12_DEVELOPER_DIR
XDG_CONFIG_HOME
XPC_FLAGS
XPC_SERVICE_NAME
_
__CF_USER_TEXT_ENCODING
agent.jobstatus
npm_config_cache
npm_config_prefix
pythonLocation

I do not see any that jump out to me as known-to-be-sensitive keys. I suspect that from this list we could back out which of our CI jobs were compromised.

tacaswell · May 21, 2021, 5:57pm

codecov has also indicated that of the repositories in the Matplotlib org, only matplotlib/matplotlib was compromised. Neither matplotlib/cycler nor matplotlib/mpl-probscale were exposed.