Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential security issue #53

Closed
simbamarufu1 opened this issue May 30, 2020 · 5 comments
Closed

Potential security issue #53

simbamarufu1 opened this issue May 30, 2020 · 5 comments
Assignees
Milestone

Comments

@simbamarufu1
Copy link

When using this action, the following warning is displayed and it states that secrets are visible inside the container in plaintext in /github/home/.docker/config.json. I am aware that action containers are ephemeral, but isn't this file accessible to subsequent executed actions?

15 Logging in to registry 16 WARNING! Using --password via the CLI is insecure. Use --password-stdin. 17 WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json. 18 Configure a credential helper to remove this warning. See 19 https://docs.docker.com/engine/reference/commandline/login/#credentials-store

@justincormack
Copy link
Member

We are looking into the best way to handle these credentials, thanks for the report. The file will indeed be available later, unless you logout or remove it.

@crazy-max
Copy link
Member

crazy-max commented Sep 2, 2020

Hi @simbamarufu1,

This will be fixed through build-push-action v2 (#92) and more precisely the login-action if you want to try it.

@crazy-max crazy-max added this to the v2 milestone Sep 2, 2020
@crazy-max
Copy link
Member

Version 2 has been merged to the main branch and is therefore available via uses: docker/build-push-action@v2 (mutable tag).

As a reminder, this new version changes drastically and works with 3 new actions (login, setup-buildx and setup-qemu) that we have created. Many usage examples have been added to handle most use cases.

And it should fix this current issue. Don't hesitate if you have any questions.

@eine
Copy link

eine commented Nov 4, 2020

I'm sorry to bring the bad news, but I'd say that this issue was not fixed. It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in https://github.com/docker/login-action/blob/adb73476b6e06caddec5db0bc1deacbec8cdd947/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

See https://github.com/eine/login-action/commits/master and https://github.com/eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8.

@crazy-max, can you please reopen this issue?

@Al13n0
Copy link

Al13n0 commented Jul 15, 2022

I can confirm the issue is still there, even using the docker/login-action@v2, the only fix is that the error message is hided from the user.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants