-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path75cf3572.0bf2eb38.js
1 lines (1 loc) · 9.8 KB
/
75cf3572.0bf2eb38.js
1
"use strict";(self.webpackChunkadminforth=self.webpackChunkadminforth||[]).push([[1915],{1029:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>d,contentTitle:()=>r,default:()=>c,frontMatter:()=>o,metadata:()=>a,toc:()=>l});var a=n(521),i=n(4848),s=n(8453);const o={slug:"how-i-opensourced-my-secret-tokens",title:"How I Open-Sourced My Secret Access Tokens from GitHub, Slack, and NPM \u2014 and Who Actually Cares",authors:"ivanb"},r="How Services Handle Leaked Secret Tokens",d={authorsImageUrls:[void 0]},l=[{value:"GitHub",id:"github",level:2},{value:"NPM",id:"npm",level:2},{value:"Slack",id:"slack",level:2}];function h(e){const t={a:"a",br:"br",code:"code",h1:"h1",h2:"h2",img:"img",li:"li",p:"p",pre:"pre",ul:"ul",...(0,s.R)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(t.p,{children:["Our framework has a CI pipeline that runs ",(0,i.jsx)(t.code,{children:"npm run build"}),", publishes the package to NPM (",(0,i.jsx)(t.code,{children:"npm publish"}),"), and creates a new release on GitHub. It also sends a notification about the release to a Slack webhook for our team."]}),"\n",(0,i.jsx)(t.p,{children:"Secrets for these services were stored in our CI\u2019s built-in Vault (we are running a self-hosted Woodpecker CI)."}),"\n",(0,i.jsxs)(t.p,{children:["Recently, while moving plugins to separate repositories, I decided to try ",(0,i.jsx)(t.a,{href:"https://infisical.com/",children:"Infisical"})," for centralized secrets management instead of the internal CI Vault. Infisical provides a self-hosted open-source solution, has a well-organized UI, and offers better access control than our CI Vault. It was important to me that I could reuse secrets across different repositories without copying them every time I created a new plugin."]}),"\n",(0,i.jsx)(t.p,{children:"Here\u2019s what I did:"}),"\n",(0,i.jsx)(t.pre,{children:(0,i.jsx)(t.code,{className:"language-yaml",metastring:'title=".woodpecker.yml"',children:' \nsteps:\n//diff-add\n init-secrets:\n//diff-add\n when:\n//diff-add\n - event: push\n//diff-add\n image: infisical/cli\n//diff-add\n environment:\n//diff-add\n INFISICAL_TOKEN:\n//diff-add\n from_secret: VAULT_TOKEN\n//diff-add\n commands:\n//diff-add\n - infisical export --domain https://vault.devforth.io/api --format=dotenv-export --env="prod" > .vault.env\n//diff-add\n secrets:\n//diff-add\n - VAULT_TOKEN\n\n release:\n image: node:20\n when:\n - event: push\n commands:\n//diff-add\n - export $(cat .vault.env | xargs)\n - cd adminforth\n - npm clean-install\n - npm run build\n - npm audit signatures\n # does publish to npm, creates release on github, and sends notification to slack webhook\n - npx semantic-release \n//diff-remove\n secrets:\n//diff-remove\n - VAULT_NPM_TOKEN\n//diff-remove\n - VAULT_GITHUB_TOKEN\n//diff-remove\n - VAULT_SLACK_TOKEN\n'})}),"\n",(0,i.jsxs)(t.p,{children:["Pretty dumb method to export secrets to the ",(0,i.jsx)(t.code,{children:".vault.env"})," file, but it was late evening, and I didn\u2019t want to spend much time on it at the start."]}),"\n",(0,i.jsx)(t.p,{children:"I made the first push, and everything worked fine on the first attempt. I was happy."}),"\n",(0,i.jsx)(t.p,{children:"Then I started adding the same code to the first plugin, and the plugin build failed with a very unexpected error."}),"\n",(0,i.jsx)(t.p,{children:"It said that my NPM token was invalid. I was surprised and started printing the environment variables to see what was wrong (printing environment variables to the build log is a pretty bad practice and is the last thing you want to do, but I knew it was an internal CI, and the project was private)."}),"\n",(0,i.jsx)(t.p,{children:"I saw that my NPM token was still in the environment variables and was the same."}),"\n",(0,i.jsx)(t.p,{children:"I went back to the first repository and retried the build. It failed with the same error."}),"\n",(0,i.jsx)(t.p,{children:"I went to NPM and found out that the token had disappeared entirely from the list. I was shocked and recreated it."}),"\n",(0,i.jsx)(t.p,{children:"On the next build, I discovered that the Slack webhook was also not working. However, GitHub releases were created without issues in both repositories."}),"\n",(0,i.jsx)(t.p,{children:'Then I noticed an email push notification from Slack titled "Notification about invalidated webhook URLs."'}),"\n",(0,i.jsx)(t.p,{children:(0,i.jsx)(t.img,{alt:"Slack Notification about invalidated webhook URLs",src:n(9564).A+"",width:"1606",height:"1634"})}),"\n",(0,i.jsxs)(t.p,{children:["This was the moment I realized that ",(0,i.jsx)(t.code,{children:"npm publish"})," had simply taken my ",(0,i.jsx)(t.code,{children:".vault.env"})," file and published it to NPM."]}),"\n",(0,i.jsx)(t.p,{children:'Shortly after, I noticed a recent email from NPM titled "Granular access token deleted."'}),"\n",(0,i.jsx)(t.p,{children:(0,i.jsx)(t.img,{alt:"npm Granular access token deleted",src:n(4130).A+"",width:"1722",height:"1526"})}),"\n",(0,i.jsx)(t.p,{children:"The next thing I did was revoke all tokens, including the GitHub token, which still worked, and unpublish all packages from NPM (though they might still be cloned by some caches/aggregators/archivers)."}),"\n",(0,i.jsx)(t.h2,{id:"github",children:"GitHub"}),"\n",(0,i.jsx)(t.p,{children:"GitHub was not able to recognize that the token had been leaked to an NPM package and revoke it. Although they do a pretty good job when you push other vendors\u2019 secrets to a GitHub repository, it seems they don\u2019t check NPM sources."}),"\n",(0,i.jsx)(t.h2,{id:"npm",children:"NPM"}),"\n",(0,i.jsx)(t.p,{children:"NPM detected that the NPM token was published to their registry and revoked it. However, it was hard to understand why\u2014it was simply deleted. They sent an email, but it did not explain why the token was deleted or specify the source of the leak. Showing an error in the tokens list on the NPM website would have been the best option."}),"\n",(0,i.jsx)(t.h2,{id:"slack",children:"Slack"}),"\n",(0,i.jsx)(t.p,{children:"I was surprised, but Slack did a great job. They monitor NPM (I don\u2019t think they monitor the whole NPM registry; there\u2019s probably some interesting technology behind it). They detected that the NPM token was published to the registry and invalidated it. They sent an email with a clear explanation of why it was invalidated and what steps to take next."}),"\n",(0,i.jsx)(t.h1,{id:"conclusion",children:"Conclusion"}),"\n",(0,i.jsxs)(t.p,{children:["We can talk a lot about bad programming practices, but the main takeaway is that we are human. And humans still make mistakes.",(0,i.jsx)(t.br,{}),"\n","It makes a lot of sense to monitor for such human errors."]}),"\n",(0,i.jsxs)(t.p,{children:["In my case, NPM and Slack saved me from a potential security breach. Without their intervention, I would have learned about the issue only when someone used my tokens for malicious purposes.",(0,i.jsx)(t.br,{}),"\n","GitHub didn\u2019t detect or revoke the token, and many other services wouldn\u2019t have done so either."]}),"\n",(0,i.jsx)(t.p,{children:"Here are some common recommendations I learned from this experience:"}),"\n",(0,i.jsxs)(t.ul,{children:["\n",(0,i.jsx)(t.li,{children:"Try to limit token access as much as possible to only the required granularity. Even if something is leaked, it won\u2019t cause much harm. Don\u2019t grant access to all resources/packages/repos unless it\u2019s necessary."}),"\n",(0,i.jsxs)(t.li,{children:["Check what you publish, especially when making changes to your build pipeline. I missed the fact that the ",(0,i.jsx)(t.code,{children:".env"})," file was being published."]}),"\n",(0,i.jsx)(t.li,{children:"Appreciate services that monitor for leaks and respond to them. They can save you from potential security breaches."}),"\n"]})]})}function c(e={}){const{wrapper:t}={...(0,s.R)(),...e.components};return t?(0,i.jsx)(t,{...e,children:(0,i.jsx)(h,{...e})}):h(e)}},4130:(e,t,n)=>{n.d(t,{A:()=>a});const a=n.p+"assets/images/image-1-f41049dc26b1e0741b6a167bf224d0e2.png"},9564:(e,t,n)=>{n.d(t,{A:()=>a});const a=n.p+"assets/images/image-d15614a6703b6388201dc9a5dee77da7.png"},8453:(e,t,n)=>{n.d(t,{R:()=>o,x:()=>r});var a=n(6540);const i={},s=a.createContext(i);function o(e){const t=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function r(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),a.createElement(s.Provider,{value:t},e.children)}},521:e=>{e.exports=JSON.parse('{"permalink":"/blog/how-i-opensourced-my-secret-tokens","source":"@site/blog/2025-01-24-how-i-published-token/index.md","title":"How I Open-Sourced My Secret Access Tokens from GitHub, Slack, and NPM \u2014 and Who Actually Cares","description":"Our framework has a CI pipeline that runs npm run build, publishes the package to NPM (npm publish), and creates a new release on GitHub. It also sends a notification about the release to a Slack webhook for our team.","date":"2025-01-24T00:00:00.000Z","tags":[],"readingTime":4.34,"hasTruncateMarker":true,"authors":[{"name":"Ivan Borshchov","title":"Maintainer of AdminForth","url":"https://github.com/ivictbor","imageURL":"https://avatars.githubusercontent.com/u/1838656?v=4","key":"ivanb","page":null}],"frontMatter":{"slug":"how-i-opensourced-my-secret-tokens","title":"How I Open-Sourced My Secret Access Tokens from GitHub, Slack, and NPM \u2014 and Who Actually Cares","authors":"ivanb"},"unlisted":false,"prevItem":{"title":"IaaC Simplified: Automating EC2 Deployments with GitHub Actions, Terraform, Docker & Distribution Registry","permalink":"/blog/compose-ec2-deployment-github-actions-registry"},"nextItem":{"title":"Why manual Release Notes and Versions are a chaos and how to fix it","permalink":"/blog/why-manual-release-notes-and-versions-are-a-chaos-and-how-to-fix-it"}}')}}]);