Re: Details of the potential risk of secret leakage in project(git)
16 views
Skip to first unread message
Sitaram Chamarty
Aug 12, 2024, 6:53:13 AM8/12/24
to jiawe...@seu.edu.cn, gito...@googlegroups.com
[added gitolite ML to cc in case someone wants to add
something].
[background for gitolite people: someone contacted me from this
email with the above subject line, but not providing any
details. I later found they sent similar emails to Johannes
Schindelin for the "git" project, and to Linux Torvalds for the
"linux" project -- so I am in excellent company ;-). I asked
for details and they sent me a JSON file which boils down to
"you have 6 ssh private keys in the directory 't/keys' in the
source". This is my response to the finding.]
Hello,
Your subject line says "git", but the detail is for gitolite.
I'll assume that was an error.
The keys you found are used for running a test; please see
https://gitolite.com/gitolite/testing.html. Note especially the
bold-face, red-color-font, warning in the first line on that
page.
Also note that I **totally reject** the second bullet in your
"advise" below, and see no way in which those keys will ever get
used by someone in a real life situation. If you can show me
*that* happening in a realistic manner, I'd love to hear about
it.
But if all you're going to do is run NoseyParket or Gitleaks or
some similar tool, and report that as a finding, thanks but no
thanks.
Good luck with your research.
sitaram
On Mon, Aug 12, 2024 at 06:00:25PM +0800, jiawe...@seu.edu.cn wrote:
>
> Dear developers of the project(git),
>
> Thank you for your feedback. We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data:
>
>
> { 'file': '', #The file containing the secret
> #The project name, version or commit_hash may be reflected in the file path
> 'line_start': 1, #location: Start line of the secret
> 'line_end': 28, #location: End line of the secret
> 'col_start': 1, #location: Start column of the secret
> 'col_end': 1, #location: End column of the secret
> 'index_start': 0, #location: Start index of the secret
> 'index_end': 1675, #location: End index of the secret
> }
>
>
> Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. Also, the results of our detector may have false positives.
>
> Some advise:
>
> 1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately.
> 2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds.
>
> Best regards,
something].
[background for gitolite people: someone contacted me from this
email with the above subject line, but not providing any
details. I later found they sent similar emails to Johannes
Schindelin for the "git" project, and to Linux Torvalds for the
"linux" project -- so I am in excellent company ;-). I asked
for details and they sent me a JSON file which boils down to
"you have 6 ssh private keys in the directory 't/keys' in the
source". This is my response to the finding.]
Hello,
Your subject line says "git", but the detail is for gitolite.
I'll assume that was an error.
The keys you found are used for running a test; please see
https://gitolite.com/gitolite/testing.html. Note especially the
bold-face, red-color-font, warning in the first line on that
page.
Also note that I **totally reject** the second bullet in your
"advise" below, and see no way in which those keys will ever get
used by someone in a real life situation. If you can show me
*that* happening in a realistic manner, I'd love to hear about
it.
But if all you're going to do is run NoseyParket or Gitleaks or
some similar tool, and report that as a finding, thanks but no
thanks.
Good luck with your research.
sitaram
On Mon, Aug 12, 2024 at 06:00:25PM +0800, jiawe...@seu.edu.cn wrote:
>
> Dear developers of the project(git),
>
> Thank you for your feedback. We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data:
>
>
> { 'file': '', #The file containing the secret
> #The project name, version or commit_hash may be reflected in the file path
> 'line_start': 1, #location: Start line of the secret
> 'line_end': 28, #location: End line of the secret
> 'col_start': 1, #location: Start column of the secret
> 'col_end': 1, #location: End column of the secret
> 'index_start': 0, #location: Start index of the secret
> 'index_end': 1675, #location: End index of the secret
> }
>
>
> Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. Also, the results of our detector may have false positives.
>
> Some advise:
>
> 1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately.
> 2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds.
>
> Best regards,
Reply all
Reply to author
Forward
0 new messages