Promote security considerations to the top #127
Conversation
| @@ -30,12 +30,37 @@ jobs: | |||
| - uses: actions/checkout@v2 | |||
| - name: Setup tmate session | |||
| uses: mxschmitt/action-tmate@v3 | |||
| with: | |||
There was a problem hiding this comment.
Could we add a comment here saying that this requires a public SSH key to be added to the GitHub profile, and a direct link to the profile where that could be done for convenience?
There was a problem hiding this comment.
There was a problem hiding this comment.
I was thinking more about https://github.com/settings/ssh/new, but both links would work for me.
There was a problem hiding this comment.
In addition to linking to https://github.com/settings/ssh/new, I would like to see in a comment that the key is needed to protect any secrets that are available in the workflow step, and that the limit-access-to-actor setting can be set to false for convenience if there is no risk of spilling secrets.
In my mind, this improvement is needed before this PR can be merged.
|
Thanks for reviewing, if you can add the missing suggestion wordings, I'll be happy to apply them. |
| @@ -30,12 +30,37 @@ jobs: | |||
| - uses: actions/checkout@v2 | |||
| - name: Setup tmate session | |||
| uses: mxschmitt/action-tmate@v3 | |||
| with: | |||
There was a problem hiding this comment.
In addition to linking to https://github.com/settings/ssh/new, I would like to see in a comment that the key is needed to protect any secrets that are available in the workflow step, and that the limit-access-to-actor setting can be set to false for convenience if there is no risk of spilling secrets.
In my mind, this improvement is needed before this PR can be merged.
| ## Security consideration: Use registered public SSH key(s) | ||
|
|
||
| By default *anybody* can connect to the tmate session. | ||
| This can lead to security issues, for example if secrets are available in environment variables or in subsequent steps privileged code is executed. |
There was a problem hiding this comment.
Here, we need to inform users that secrets are not made available by default, but that the risk comes from configuring token in the action-tmate Action or from adding ${{ secret.X }} values to the env block, or from writing out secret values to disk in preceding workflow steps.
There was a problem hiding this comment.
for potential follow-uppers:
... or from configurations/certificates/private keys/... that are generated/downloaded/... by previous steps having access to secrets. Or from subsequent steps deploying signed code that has been produced including injected bits or from a whole variety of other reasons we did not think about right now. Things that other maintainers of a project have introduced and you may not be aware of at the very instance you try to deploy this project because your customer wants it delivered by 6 o clock in the morning and you don't have time to read a PHD on security so you just copy paste the first code sample that promises to get the job done. Things that can be leaked exactly once and then are lost. Just like a credit card or social security number that you really don't want to see end up somewhere on the internet. So probably the 90% of users who don't understand SSH keys will neither understand this so we better stay on the safe side and try to be careful if in doubt.
As project maintainer we can now blame our collaborators for not being careful enough and ourselves for giving them access to things they shouldn't play with carelessly. But we've all been in situations that are a bit stressful and cause even experienced people to do hit a button a bit too fast.
|
Hey @dscho thank you for the review. |
|
Seems stale and not a general interest in changing this behavior since it significantly reduces the user experience. If we change it, then we need to add a new mode, which is backwards compatible and falls back to no ssh key access, if no ssh keys are added to the account. |
No description provided.