Comment by anttiharju
25 days ago
One can get the ssh access with self-hosted runners but it is problematic because uncovering secrets becomes trivial.
25 days ago
One can get the ssh access with self-hosted runners but it is problematic because uncovering secrets becomes trivial.
Uncovering secrets is usually trivial. `printenv` in a build script does that pretty reliably.
What do you mean? Simple env prints get masked as *** in logs
I guess one can always just echo the secret to a file and upload-artifact it
Like masking would work against anything but accidents.
Unless you've got something sanitizing env prints in your logs, no, they don't get masked. I've leaked secrets accidentally while debugging environment variable issues.
Of course the bigger side of the issue is that anyone who can run code in the CI context can view all data in the CI context. So if an untrusted dev can write a build script that executes with secrets in the environment, they can leak those secrets. CI is RCE-as-a-service, you implicitly give permission for anyone who can edit build scripts to run arbitrary code. Like you say, they can echo the secret to a file & upload it elsewhere, and they can also use it directly from the edited build script.
2 replies →