login-action icon indicating copy to clipboard operation
login-action copied to clipboard

Published 20 hours ago verified publisher icon docker

Security issue

Open eine opened this issue 3 years ago • 8 comments

Coming from docker/build-push-action#53

Refs:

  • docker/login-action#25
  • docker/github-actions#21
  • actions/starter-workflows#96

Behaviour

https://github.com/docker/build-push-action/issues/53#issuecomment-721898162 It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in docker/login-action@adb7347/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

Steps to reproduce this issue

https://github.com/docker/build-push-action/issues/53#issuecomment-721898162 See eine/login-action@master (commits) and eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8.

Expected behaviour

Login is secure or security warnings are not hidden.

Actual behaviour

Login is reported not to be secure, but warnings are hidden.

eine avatar Nov 13 '20 07:11 eine

@eine

It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in docker/login-action@adb7347/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

This issue concerns the credential store used on the GitHub Runner and not this action itself. Also as you can see on your own fork, credentials are removed when the job is finished.

crazy-max avatar Nov 13 '20 08:11 crazy-max

@crazy-max, see actions/starter-workflows#96 (and the ref to docker/cli#2089). Ideally developers/maintainers of Docker and GitHub Actions would communicate with each other for achieving a satisfactory solution.

eine avatar Nov 13 '20 09:11 eine

@eine

Ideally developers/maintainers of Docker and GitHub Actions would communicate with each other for achieving a satisfactory solution.

Maybe GitHub could simply install the pass credential helper on the GitHub Runner. WDYT @clarkbw?

crazy-max avatar Nov 13 '20 09:11 crazy-max

I've asked for this before. I'll push for it again.

clarkbw avatar Nov 13 '20 15:11 clarkbw

Please not this not only affects the "build and push" action. Currently every workflow must/should start with a docker login as to decrease the chance of being hit by the new rate limiting.

valentijnscholten avatar Nov 30 '20 18:11 valentijnscholten

In the short term can we only filter out the login message?

clarkbw avatar Dec 02 '20 18:12 clarkbw

@clarkbw this issue is about requesting relevant warnings not to be hidden from users. ATM, the warnings are filtered out: #25.

eine avatar Dec 02 '20 19:12 eine

@eine @clarkbw actions/virtual-environments#2304 has been merged. Will be available ~January (https://github.com/actions/virtual-environments/issues/2302#issuecomment-749140395).

crazy-max avatar Dec 22 '20 10:12 crazy-max