Automated CI security issues

Time:2021-10-16

In recent days, I have been dealing with the CI migration of lctt. During the process, I think it is necessary to talk about the security of CI.

For current open source projects, CI is almost standard configuration. Only with CI can we deal with the contributions of contributors well. Machines can complete some inspections and reduce the pressure of manual verification.

However, if your CI is not handled properly, it may bring security risks to your project.

Most of the current CIS are based on a configuration file, such as Travis CI.travis.yml, GitHub action.github/workflows/xxx.ymlWait. We will write some code to complete our verification function.

However, in the actual R & D process, in the way of code formatting and code engineering, we may consider storing some of them in some subdirectories of the project.

however,Putting the script in a separate file in the project also introduces security issues

Generally speaking, CI will rely on the configuration file of the source branch when executing commands. Therefore, we don’t need to worry about tampering with the corresponding configuration file.

However, when CI executes local scripts, it uses the files under the current branch, which will leave security risks for the project. For example, some malicious developers can insert malicious code into the corresponding scripts to steal some important information, such as various secrets.

There are two ideas to solve the problem:

  1. Do not place the data required by the CI in the project file: by storing the commands in the script in the configuration file, malicious developers can avoid modifying the CI file. Therefore, the modified CI file is not executed.
  2. Place the files required by the CI in another place: the current CI provides common commands. You can place the required configuration files under another repo and add corresponding clones or downloads in the CI process to ensure that the required files are available during CI execution. In this way, you only need to ensure that there are no corresponding malicious files in the repo saved separately.

summary

Ci is a good thing, but if you have problems with your writing and usage, it will still bring security risks to your system.

Recommended Today

Swift advanced (XV) extension

The extension in swift is somewhat similar to the category in OC Extension can beenumeration、structural morphology、class、agreementAdd new features□ you can add methods, calculation attributes, subscripts, (convenient) initializers, nested types, protocols, etc What extensions can’t do:□ original functions cannot be overwritten□ you cannot add storage attributes or add attribute observers to existing attributes□ cannot add parent […]