This is a blog post covering the ROS Security Audit and the cache security vulnerabilities.
Write a blog post about runner security. #566
Kwonunn/forgejo-website:runner-security into main
Preview ready: https://forgejo.codeberg.page/@pull_566/
https://forgejo.codeberg.page/@pull_566/2025-03-runner-security/
https://forgejo.codeberg.page/@pull_566/news/13/
https://forgejo.codeberg.page/@pull_566/tag/runner/
Is it ready for review or should I wait until it is no longer WIP:?
I think it's ready for review and additions, i just set it to WIP because there's a huge TODO section and i don't accidentally want to merge that.
Here is an idea. Instead of Cache vulnerability which is kind of lonely, what about listing the security issues fixed since the audit started and mention which section of the report is associated with them? Presumably the reader is interested in a high level overview of the security related work that went on during the past six months. And the cache vulnerability is one of them.
That would, IMHO consistute the body of the blog post.
As for "how to move forward", that's a tough one.
I think listing all of the issues is a good idea, I'll have to go through the report again tho so that might take me a bit.
IIRC there are half a dozen issues.
i found a bug in the new cache code that you may want to try to fix before additional advertising (posting this blog post) to upgrade to the new version.
https://code.forgejo.org/forgejo/runner/issues/509
I suspect it is environmental rather than a bug, but it is worth getting to the bottom of it before posting.
I now think it is a real bug.
Does anyone have any insight on what to write in the moving forward section?
@ -0,0 +21,4 @@
It was possible to perform privilege escalation by specifying certain container options. This was [fixed by filtering the container options](https://code.forgejo.org/forgejo/act/pulls/83/files).
- **CLN-002 - Runner containers have access to Docker socket**
By default the Docker socket was mounted into job containers. This would let workflows perform privilege escalation. This [default has been changed](https://code.forgejo.org/forgejo/runner/pulls/333).
- **Cache access is not authenticated**
reminder to somehow mention I found this issue.
done ^-^
thanks!
@ -0,0 +24,4 @@
- **Cache access is not authenticated**
Access to the caches was not authenticated, which means that workflows for one repository could receive caches from other repositories by guessing the right cache key. This has been fixed by [requiring authentication to access the caches and adding a proxy to transparently perform this authentication](https://code.forgejo.org/forgejo/runner/commit/46eb63a952e2e403aea80316514d4815fa47b0c8).
The complete details about the findings and non-findings of the audit can be found in the [code audit report](https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo/src/commit/69f76976cc6a62bc7a64f9f76e4be75eec3d608d/target/Forgejo%20penetration%20test%20report%202024%201.0.pdf).
I noticed the findings are numbered, but missing some numbers, maybe add a footnote explaining why?
The findings from the ROS report were given a code, but since you reported the issue in a private repository it wasn't given a public code. I opted to just leave out the code. I might just leave out the codes from the ROS findings as well as they don't add much outside the context of the report, and you can read the report if you want to.
ah, i meant I am wondering why the findings in the report have numbers but some are missing...are they keys in some lookup table of kinds of vulnerabilities, or did they find some stuff that turned out to not be a bug so got deleted?
ohh, i think that's just because things were investigated that didn't end up being a vulnerability
With multiline secrets masking there are no open security issues in the runner. It would be a good time to complete this blog post 🙏
5bf0094946
e513b23755
Let me know if I should review now or if I should wait a little more 🙏
@Kwonunn I'll review and maybe open another pull request with changes since this one does not allow for edits. Unless you're about to finish it?
@earl-warren If you have any suggestions I'd love them. I put this on WIP because the multiline secrets PR wasn't merged yet. I'll remove that now.
Reading it again, since it is short (which is a good thing), it would be a good fit for a section in the next monthly update which is due in a few days. It is also a lot less work 😇. What do you think?
Sections are collected at #609, I'll suggest it with a link there.
Good idea, since i also don't really know what else to add to the post.
It is now included in !626. There where some small refactors and still need to re-add the links...
Move over to the July 2025 monthly report. #626
Pull request closed
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?