Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue #53

Closed
simbamarufu1 opened this issue May 30, 2020 · 5 comments
Closed

Potential security issue #53

simbamarufu1 opened this issue May 30, 2020 · 5 comments
Assignees
@justincormack
Milestone
v2

Comments

@simbamarufu1
Copy link

When using this action, the following warning is displayed and it states that secrets are visible inside the container in plaintext in /github/home/.docker/config.json. I am aware that action containers are ephemeral, but isn't this file accessible to subsequent executed actions?

15 Logging in to registry 16 WARNING! Using --password via the CLI is insecure. Use --password-stdin. 17 WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json. 18 Configure a credential helper to remove this warning. See 19 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
@justincormack
Copy link
Member

We are looking into the best way to handle these credentials, thanks for the report. The file will indeed be available later, unless you logout or remove it.

@justincormack justincormack self-assigned this Jun 9, 2020
@domenic domenic mentioned this issue Jun 16, 2020
Merged
@oke-aditya oke-aditya mentioned this issue Jun 23, 2020
Closed
@eine eine mentioned this issue Jul 5, 2020
Closed
@crazy-max
Copy link
Member

crazy-max commented Sep 2, 2020
edited
Loading

Hi @simbamarufu1,

This will be fixed through build-push-action v2 (#92) and more precisely the login-action if you want to try it.

@crazy-max crazy-max added this to the v2 milestone Sep 2, 2020
@crazy-max
Copy link
Member

Version 2 has been merged to the main branch and is therefore available via uses: docker/build-push-action@v2 (mutable tag).

As a reminder, this new version changes drastically and works with 3 new actions (login, setup-buildx and setup-qemu) that we have created. Many usage examples have been added to handle most use cases.

And it should fix this current issue. Don't hesitate if you have any questions.

@eine
Copy link

eine commented Nov 4, 2020

I'm sorry to bring the bad news, but I'd say that this issue was not fixed. It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in https://github.com/docker/login-action/blob/adb73476b6e06caddec5db0bc1deacbec8cdd947/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

See https://github.com/eine/login-action/commits/master and https://github.com/eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8.

@crazy-max, can you please reopen this issue?

@eine eine mentioned this issue Nov 4, 2020
Open
@eine eine mentioned this issue Nov 13, 2020
Open
@Al13n0
Copy link

Al13n0 commented Jul 15, 2022
edited
Loading

I can confirm the issue is still there, even using the docker/login-action@v2, the only fix is that the error message is hided from the user.
image

Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justincormack justincormack

Labels
None yet
Projects
None yet
Milestone
v2
Development

No branches or pull requests
5 participants
@justincormack @crazy-max @eine @Al13n0 @simbamarufu1