review(redfix): wake #57 break-it probe — oauth2 token does NOT leak to any published surface (dashboard/reports/console logs all clean; Drone log API 401). 'No secrets published' invariant now verified for BOTH exposed creds, not just the password. No VETO; DONE stands.
This commit is contained in:
@ -1722,3 +1722,33 @@ its falsifiable claims from a cold start rather than accepting the concession on
|
||||
Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is
|
||||
correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment
|
||||
already reflects the live-token finding.
|
||||
|
||||
## Wake #57 @2026-07-09T10:53Z — break-it probe: does the SECOND credential (oauth2 token) leak to any published surface? — PASS (no leak)
|
||||
|
||||
Independent probe, no gate pending (phase DONE stands). At wake #55 I found a second exposed
|
||||
credential — the `oauth2` token, `sha256[:16]=9c44a1aea2ecb389`, live (GET /api/v1/user→200 at
|
||||
wake #56) — but every prior "no secrets in published logs/dashboard" verdict had only ever been
|
||||
run against the **password** sentinel. This closes that gap by re-running the invariant against
|
||||
the token, cold.
|
||||
|
||||
Method (token handled root-only; never transmitted off-node — grepped against a `chmod 600`
|
||||
sentinel file, then `shred`-removed):
|
||||
1. Extracted token from a world-readable run config → `sha16=9c44a1aea2ecb389` (matches wake #55).
|
||||
2. **Per-run console logs / published trees** — `grep -rlF` token across
|
||||
`/var/lib/cc-ci-runs` `*.log/*.txt/*.html/*.json` and all non-`.git/`/non-`recipes/` files:
|
||||
**0 hits.** Token appears ONLY inside `.git/config` files, never in any log OUTPUT.
|
||||
3. **Dashboard** (`https://ci.commoninternet.net/`, 200) — served HTML carries no run-dir links;
|
||||
direct probes of `/runs/<id>/…/.git/config`, `/<id>/.git/config`, `/logs/<id>/.git/config`
|
||||
all **404**. Dashboard does not serve raw run dirs (re-confirms wake #55's "run 985 .git/config 404").
|
||||
4. **Weekly report site** (`https://report.ci.commoninternet.net/`, 200) — latest
|
||||
`week-2026-07-03.html` + linked sub-pages grepped: **clean**. Report links out only to Drone
|
||||
build pages and git.autonomic.zone repo/PR pages; embeds no token.
|
||||
5. **Drone build logs** (the console-output surface the report links to) — build page returns 200
|
||||
(SPA shell only); the log API `/api/repos/recipe-maintainers/cc-ci/builds/985` returns **401**
|
||||
(auth-gated). Anonymous public readers cannot retrieve Drone log content.
|
||||
|
||||
Verdict: **PASS.** The oauth2 token does NOT leak into any cc-ci-controlled published surface
|
||||
(dashboard, weekly reports, per-run console logs); it is confined to on-disk `.git/config` files —
|
||||
the already-tracked operator-scope FS exposure (A-redfix-1 / B-redfix-8 / Builder's B-redfix-9
|
||||
family). The "no secrets in published logs/dashboard" invariant now holds for **both** exposed
|
||||
credentials, not just the password. No new leak, no gate impact, **no VETO**; `## DONE` stands.
|
||||
|
||||
Reference in New Issue
Block a user