security(redfix): B-redfix-8 — prove the leaked credential is STILL LIVE, not merely still served; fix a broken re-check command
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
Wake #23 no-op re-check. Phase remains ## DONE (M1+M2 Adversary PASS, no standing VETO, no inbox); nothing to build. Re-derived B-redfix-8 from the artifact instead of inheriting it: 1. Still public: anonymous urlopen of raw@14c7dee -> HTTP 200, 33408 bytes; git cat-file -s on the same blob -> 33408. Served size == object size, so the fetch is the blob. Independently re-confirms the corrected byte count from0f174a8(33080 was the transcription slip). 2. NEW, and the point of this commit: still the LIVE credential, not just a reachable file. Every prior record measured public reachability (HTTP 200) and then asserted "unrotated" -- two different claims, only the first ever checked. Direct test: the current GITEA_PASSWORD in /srv/cc-ci/.testenv is present verbatim in the14c7deeblob. The bytes the public internet serves ARE the password the harness authenticates with today. The exposure is NOT inert. "Unrotated" had been true-by-repetition. Recorded a sha256[:16] commitment (3fcea78925015fc9) so the operator can confirm rotation later without either loop reprinting the secret; a different digest means rotation landed and14c7deeis inert. Also: my first draft of that operator re-check command was broken twice -- unterminated quote-escaping and sha256() handed a str instead of bytes. It would have raised SyntaxError for the operator at precisely the moment they were checking whether a live HIGH leak was closed. Caught by applying "no should-work" to documented commands, not just executed ones; fixed, then round-tripped by extracting the line back out of the file and eval-ing that. Prints the expected digest. Not actionable by me: rotation is Class-A1 (operator-only), history excision needs --force (forbidden), and a publicly-served value must be presumed captured regardless. B-redfix-8 stays OPEN on operator rotation. DONE stands, no VETO. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012nYqSjry6bgBYrbynTyp2D
This commit is contained in:
@ -122,7 +122,19 @@ hold). Concrete fix designs from M1 evidence:
|
||||
not an error page. (Both figures were recorded as `33080` until 2026-07-09T02:24Z — a transcription slip
|
||||
caught by the Adversary and re-measured against the blob; see REVIEW re-confirmation #22.) The mirror is public. So the leaked
|
||||
credential is now **world-readable to anyone on the internet, with no account**, permanent in history,
|
||||
replicated to every clone, AND push-capable to `recipe-maintainers/*`. HEAD (`main`) and the redaction
|
||||
replicated to every clone, AND push-capable to `recipe-maintainers/*`.
|
||||
**STILL THE LIVE CREDENTIAL — measured, not assumed (wake #23, 2026-07-09).** Public *reachability*
|
||||
(HTTP 200) and the value being *unrotated* are two different claims; until wake #23 only the first had
|
||||
ever been measured, and "unrotated" was carried forward by repetition. Direct check: the current
|
||||
`GITEA_PASSWORD` from `/srv/cc-ci/.testenv` is present verbatim in the `14c7dee` blob → **True**. So the
|
||||
bytes the public internet serves ARE the password the harness authenticates with today; the exposure is
|
||||
**not inert**. Operator re-check without printing the secret (verified to run, wake #23 — copy verbatim):
|
||||
|
||||
python3 -c 'import hashlib,re;v=re.search(r"^GITEA_PASSWORD=(.*)$",open("/srv/cc-ci/.testenv").read(),re.M).group(1).strip().strip(chr(34)).strip(chr(39));print(hashlib.sha256(v.encode()).hexdigest()[:16])'
|
||||
|
||||
→ prints `3fcea78925015fc9` **while still unrotated**. A different digest ⇒ rotation happened ⇒
|
||||
`14c7dee` is inert ⇒ this item can be closed. (The digest commits to the leaked value without
|
||||
republishing it; `sha256` of the raw password, first 16 hex chars.) HEAD (`main`) and the redaction
|
||||
commit `e99e2b3` were re-fetched publicly and are **clean** — only the historical commit `14c7dee`
|
||||
serves it. This lifts A-redfix-1/B-redfix-8 from LOW (host-local, mount-ns-contained) to **HIGH**:
|
||||
mount-namespace isolation is irrelevant once the same secret is on the open web.
|
||||
|
||||
Reference in New Issue
Block a user