32
40
Fork
You've already forked website
52

Write a blog post about runner security. #566

Closed
Kwonunn wants to merge 8 commits from Kwonunn/forgejo-website:runner-security into main
pull from: Kwonunn/forgejo-website:runner-security
merge into: forgejo:main
forgejo:main
forgejo:monthly-2026-05
forgejo:mahlzahn-eslint-js
forgejo:preview-link-status
forgejo:nightfire
forgejo:2022年12月14日-main
Member
Copy link

This is a blog post covering the ROS Security Audit and the cache security vulnerabilities.

This is a blog post covering the ROS Security Audit and the cache security vulnerabilities.
Collaborator
Copy link
Preview ready: https://forgejo.codeberg.page/@pull_566/ https://forgejo.codeberg.page/@pull_566/2025-03-runner-security/ https://forgejo.codeberg.page/@pull_566/news/13/ https://forgejo.codeberg.page/@pull_566/tag/runner/
Contributor
Copy link

Is it ready for review or should I wait until it is no longer WIP:?

Is it ready for review or should I wait until it is no longer WIP:?
Author
Member
Copy link

I think it's ready for review and additions, i just set it to WIP because there's a huge TODO section and i don't accidentally want to merge that.

I think it's ready for review and additions, i just set it to WIP because there's a huge TODO section and i don't accidentally want to merge that.
Contributor
Copy link

Here is an idea. Instead of Cache vulnerability which is kind of lonely, what about listing the security issues fixed since the audit started and mention which section of the report is associated with them? Presumably the reader is interested in a high level overview of the security related work that went on during the past six months. And the cache vulnerability is one of them.

That would, IMHO consistute the body of the blog post.

As for "how to move forward", that's a tough one.

Here is an idea. Instead of `Cache vulnerability` which is kind of lonely, what about listing the security issues fixed since the audit started and mention which section of the report is associated with them? Presumably the reader is interested in a high level overview of the security related work that went on during the past six months. And the cache vulnerability is one of them. That would, IMHO consistute the body of the blog post. As for "how to move forward", that's a tough one.
Author
Member
Copy link

I think listing all of the issues is a good idea, I'll have to go through the report again tho so that might take me a bit.

I think listing all of the issues is a good idea, I'll have to go through the report again tho so that might take me a bit.
Contributor
Copy link

IIRC there are half a dozen issues.

IIRC there are half a dozen issues.
First-time contributor
Copy link

i found a bug in the new cache code that you may want to try to fix before additional advertising (posting this blog post) to upgrade to the new version.
https://code.forgejo.org/forgejo/runner/issues/509

i found a bug in the new cache code that you may want to try to fix before additional advertising (posting this blog post) to upgrade to the new version. https://code.forgejo.org/forgejo/runner/issues/509
Contributor
Copy link

I suspect it is environmental rather than a bug, but it is worth getting to the bottom of it before posting.

I suspect it is environmental rather than a bug, but it is worth getting to the bottom of it before posting.
Contributor
Copy link

I now think it is a real bug.

I now think it is a real bug.
Author
Member
Copy link

Does anyone have any insight on what to write in the moving forward section?

Does anyone have any insight on what to write in the moving forward section?
@ -0,0 +21,4 @@
It was possible to perform privilege escalation by specifying certain container options. This was [fixed by filtering the container options](https://code.forgejo.org/forgejo/act/pulls/83/files).
- **CLN-002 - Runner containers have access to Docker socket**
By default the Docker socket was mounted into job containers. This would let workflows perform privilege escalation. This [default has been changed](https://code.forgejo.org/forgejo/runner/pulls/333).
- **Cache access is not authenticated**
First-time contributor
Copy link

reminder to somehow mention I found this issue.

reminder to somehow mention I found this issue.
Author
Member
Copy link

done ^-^

done ^-^
First-time contributor
Copy link

thanks!

thanks!
Kwonunn marked this conversation as resolved
@ -0,0 +24,4 @@
- **Cache access is not authenticated**
Access to the caches was not authenticated, which means that workflows for one repository could receive caches from other repositories by guessing the right cache key. This has been fixed by [requiring authentication to access the caches and adding a proxy to transparently perform this authentication](https://code.forgejo.org/forgejo/runner/commit/46eb63a952e2e403aea80316514d4815fa47b0c8).
The complete details about the findings and non-findings of the audit can be found in the [code audit report](https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo/src/commit/69f76976cc6a62bc7a64f9f76e4be75eec3d608d/target/Forgejo%20penetration%20test%20report%202024%201.0.pdf).
First-time contributor
Copy link

I noticed the findings are numbered, but missing some numbers, maybe add a footnote explaining why?

I noticed the findings are numbered, but missing some numbers, maybe add a footnote explaining why?
Author
Member
Copy link

The findings from the ROS report were given a code, but since you reported the issue in a private repository it wasn't given a public code. I opted to just leave out the code. I might just leave out the codes from the ROS findings as well as they don't add much outside the context of the report, and you can read the report if you want to.

The findings from the ROS report were given a code, but since you reported the issue in a private repository it wasn't given a public code. I opted to just leave out the code. I might just leave out the codes from the ROS findings as well as they don't add much outside the context of the report, and you can read the report if you want to.
First-time contributor
Copy link

ah, i meant I am wondering why the findings in the report have numbers but some are missing...are they keys in some lookup table of kinds of vulnerabilities, or did they find some stuff that turned out to not be a bug so got deleted?

ah, i meant I am wondering why the findings in the report have numbers but some are missing...are they keys in some lookup table of kinds of vulnerabilities, or did they find some stuff that turned out to not be a bug so got deleted?
Author
Member
Copy link

ohh, i think that's just because things were investigated that didn't end up being a vulnerability

ohh, i think that's just because things were investigated that didn't end up being a vulnerability
Contributor
Copy link

With multiline secrets masking there are no open security issues in the runner. It would be a good time to complete this blog post 🙏

With [multiline secrets masking](https://code.forgejo.org/forgejo/runner/pulls/661) there are no open security issues in the runner. It would be a good time to complete this blog post 🙏
Kwonunn force-pushed runner-security from 5bf0094946
All checks were successful
pr / preview (pull_request_target) Successful in 1m33s
to e513b23755
All checks were successful
pr / preview (pull_request_target) Successful in 1m32s
2025年07月10日 22:24:50 +02:00
Compare
Contributor
Copy link

Let me know if I should review now or if I should wait a little more 🙏

Let me know if I should review now or if I should wait a little more 🙏
Contributor
Copy link

@Kwonunn I'll review and maybe open another pull request with changes since this one does not allow for edits. Unless you're about to finish it?

@Kwonunn I'll review and maybe open another pull request with changes since this one does not allow for edits. Unless you're about to finish it?
Author
Member
Copy link

@earl-warren If you have any suggestions I'd love them. I put this on WIP because the multiline secrets PR wasn't merged yet. I'll remove that now.

@earl-warren If you have any suggestions I'd love them. I put this on WIP because the multiline secrets PR wasn't merged yet. I'll remove that now.
Kwonunn changed title from (削除) WIP: Write a blog post about runner security. (削除ここまで) to Write a blog post about runner security. 2025年07月28日 15:59:37 +02:00
Merge branch 'main' into runner-security
All checks were successful
pr / preview (pull_request_target) Successful in 1m16s
84a026aade
Contributor
Copy link

Reading it again, since it is short (which is a good thing), it would be a good fit for a section in the next monthly update which is due in a few days. It is also a lot less work 😇. What do you think?

Sections are collected at #609, I'll suggest it with a link there.

Reading it again, since it is short (which is a good thing), it would be a good fit for a section in the next monthly update which is due in a few days. It is also a lot less work 😇. What do you think? Sections are collected at https://codeberg.org/forgejo/website/issues/609, I'll suggest it with a link there.
Author
Member
Copy link

Good idea, since i also don't really know what else to add to the post.

Good idea, since i also don't really know what else to add to the post.

It is now included in !626. There where some small refactors and still need to re-add the links...

It is now included in !626. There where some small refactors and still need to re-add the links...
Contributor
Copy link

Move over to the July 2025 monthly report. #626

Move over to the July 2025 monthly report. https://codeberg.org/forgejo/website/pulls/626
Some checks are pending
pr / preview (pull_request_target) Successful in 1m16s
pr / preview (pull_request)
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Labels
Clear labels
404
Broken links or missing content
Accessibility
Accessibility
Blog post
Documentation
Forgejo Documentation
Internationalisation
i18n and l10n
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
5 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/website!566
Reference in a new issue
forgejo/website
No description provided.
Delete branch "Kwonunn/forgejo-website:runner-security"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?