Codecov Bash uploader security notice

Yesterday I got an e-mail from Codecov about an incident that concerns their Bash uploader.

I read the relevant page and their docs, and just want to check the following: if I am only using Codecov for public repos, via the standard Julia CI scripts (formerly Travis CI, now mostly Github actions), and thus never had to provide any tokens, then I am unaffected and I don’t need to do anything. Is this correct?

2 Likes

@giordano or @christopher-dG can answer this I think.
Or you check Slack discussion: https://julialang.slack.com/archives/C680MM7D4/p1618492108453100
if you like. I didn’t get this email so I didn’t follow all the implications and can’t answer this for sure.

Yeah in general you should be fine. For the “average” public Julia project, the only secret in the workflow was the DOCUMENTER_KEY, but access to that is isolated to the docs job, where the Codecov action does not run.

4 Likes

Thanks. I still don’t understand why Codecov thinks that I am affected then.

Out of curiosity, what’s the worst that can happen if a malicious attacker gets hold of a DOCUMENTER_KEY? Do they get to rewrite the generated docs? (which could be quite serious, eg adding links to malicious sites, etc).

Could notification this be a leftover from having used Travis CI scripts in the past?

DOCUMENTER_KEY is an SSH key with write access to your repository, so they can push to anywhere on your repo, including your main branch if it’s not protected in GH settings.

I still don’t understand why Codecov thinks that I am affected then.

Codecov has no way to analyze everyone’s usage of their script, all they can do is identify whether or not you used the compromised script on one of your repos.

5 Likes

The codecov failed in my latest CI, which is how I found out about this. Will this fix itself or do I need to do something? When I clicked on the failed run I would up at a web page with said

Action Required: You were Impacted by Codecov’s Bash Uploader Security Issue.
Codecov recently disclosed a security issue. Based on our records, we believe you were impacted and should take immediate action.

which told me about the problem. “learn more” was not helpful, at least for me. The way I use codecov is these lines in .github/workflows/ci.yml

      - uses: codecov/codecov-action@v1
        with:
          file: lcov.info

Should I be doing something else? This has been working fine until now.

If you could link to the failed workflow run, we could do a better job of diagnosing what went wrong with the codecov action.

I tried, but every link I click either (1) shows a codecov report that looks normal and accurate or (2) tells me about Action Required. I cannot get something that looks anything like a normal CI failure report.

It’s typical for me that codecov can take a long time to come up with its report. However, it usually does ot report a failure while I wait.

I will give up and hope this problem goes away on its own.

Just got an update from CodeCov this morning by e-mail. Their corresponding blog post [updated] says

We have recently obtained a non-exhaustive, redacted set of environment variables that we have evidence were compromised. We also have evidence on how these compromised variables may have been used. Please log-in to Codecov as soon as possible to see if you are in this affected population.

and I logged in, but I am uncertain what I should be seeing, it just shows my overview.

(Sorry to be asking these questions here, I also asked their support but got no reply yet, so I am hoping someone else will figure this out and I get to freeride on their effort :wink:)

Bizzare. The failure signal I got seemed to be about a decrease in my codecov percentage and went away the next time I ran CI. I am now prepared for this and actually appreciate it.

I could have used better and more informative messages from codecov. The ones I got were/are very hard to understand and use to take action.