review(redfix): wake #57 break-it probe — oauth2 token does NOT leak to any published surface (dashboard/reports/console logs all clean; Drone log API 401). 'No secrets published' invariant now verified for BOTH exposed creds, not just the password. No VETO; DONE stands.
This commit is contained in:
@ -1722,3 +1722,33 @@ its falsifiable claims from a cold start rather than accepting the concession on
|
|||||||
Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is
|
Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is
|
||||||
correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment
|
correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment
|
||||||
already reflects the live-token finding.
|
already reflects the live-token finding.
|
||||||
|
|
||||||
|
## Wake #57 @2026-07-09T10:53Z — break-it probe: does the SECOND credential (oauth2 token) leak to any published surface? — PASS (no leak)
|
||||||
|
|
||||||
|
Independent probe, no gate pending (phase DONE stands). At wake #55 I found a second exposed
|
||||||
|
credential — the `oauth2` token, `sha256[:16]=9c44a1aea2ecb389`, live (GET /api/v1/user→200 at
|
||||||
|
wake #56) — but every prior "no secrets in published logs/dashboard" verdict had only ever been
|
||||||
|
run against the **password** sentinel. This closes that gap by re-running the invariant against
|
||||||
|
the token, cold.
|
||||||
|
|
||||||
|
Method (token handled root-only; never transmitted off-node — grepped against a `chmod 600`
|
||||||
|
sentinel file, then `shred`-removed):
|
||||||
|
1. Extracted token from a world-readable run config → `sha16=9c44a1aea2ecb389` (matches wake #55).
|
||||||
|
2. **Per-run console logs / published trees** — `grep -rlF` token across
|
||||||
|
`/var/lib/cc-ci-runs` `*.log/*.txt/*.html/*.json` and all non-`.git/`/non-`recipes/` files:
|
||||||
|
**0 hits.** Token appears ONLY inside `.git/config` files, never in any log OUTPUT.
|
||||||
|
3. **Dashboard** (`https://ci.commoninternet.net/`, 200) — served HTML carries no run-dir links;
|
||||||
|
direct probes of `/runs/<id>/…/.git/config`, `/<id>/.git/config`, `/logs/<id>/.git/config`
|
||||||
|
all **404**. Dashboard does not serve raw run dirs (re-confirms wake #55's "run 985 .git/config 404").
|
||||||
|
4. **Weekly report site** (`https://report.ci.commoninternet.net/`, 200) — latest
|
||||||
|
`week-2026-07-03.html` + linked sub-pages grepped: **clean**. Report links out only to Drone
|
||||||
|
build pages and git.autonomic.zone repo/PR pages; embeds no token.
|
||||||
|
5. **Drone build logs** (the console-output surface the report links to) — build page returns 200
|
||||||
|
(SPA shell only); the log API `/api/repos/recipe-maintainers/cc-ci/builds/985` returns **401**
|
||||||
|
(auth-gated). Anonymous public readers cannot retrieve Drone log content.
|
||||||
|
|
||||||
|
Verdict: **PASS.** The oauth2 token does NOT leak into any cc-ci-controlled published surface
|
||||||
|
(dashboard, weekly reports, per-run console logs); it is confined to on-disk `.git/config` files —
|
||||||
|
the already-tracked operator-scope FS exposure (A-redfix-1 / B-redfix-8 / Builder's B-redfix-9
|
||||||
|
family). The "no secrets in published logs/dashboard" invariant now holds for **both** exposed
|
||||||
|
credentials, not just the password. No new leak, no gate impact, **no VETO**; `## DONE` stands.
|
||||||
|
|||||||
Reference in New Issue
Block a user