You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's possible (fairly simple) to beat CircleCI and get the credentials first. You can figure out what the next build will be, so it's just a case of finding watching the repository and picking up the VCS revision faster than CircleCI can queue the build, download the relevant docker container, load this plugin, and initiate the request.
I think in general that the approach taken here nearly works. I wonder if you could make it work with:
The build makes a request to auth/circleci/login, along with the user, project, build num etc.
The plugin generates a secret key and a "nonce" and returns them to the CircleCI build.
The build puts the "nonce" on stdout.
The plugin requests the build output and checks for the presence of the "nonce". If it's not found for some time, the authentication attempt times out.
The build makes a second request to auth/circleci/callback with the original details, and the secret key from step 2.
Once the plugin has seen the "nonce" in the output, it can return a new client_token that's valid for the lifetime of the build.
An attacker can easily obtain a secret key + nonce pair, but since they cannot control the log output of the build, they cannot steal the secrets.
The text was updated successfully, but these errors were encountered:
It's possible (fairly simple) to beat CircleCI and get the credentials first. You can figure out what the next build will be, so it's just a case of finding watching the repository and picking up the VCS revision faster than CircleCI can queue the build, download the relevant docker container, load this plugin, and initiate the request.
I think in general that the approach taken here nearly works. I wonder if you could make it work with:
auth/circleci/login
, along with the user, project, build num etc.auth/circleci/callback
with the original details, and the secret key from step 2.An attacker can easily obtain a secret key + nonce pair, but since they cannot control the log output of the build, they cannot steal the secrets.
The text was updated successfully, but these errors were encountered: