covr icon indicating copy to clipboard operation
covr copied to clipboard

Published 20 hours ago verified publisher icon r-lib

codecov.io security breach

Open krassowski opened this issue 4 years ago • 1 comments

It appears that codecov had a serious security breach related to Bash Uploader, see https://news.ycombinator.com/item?id=26819983 (their website is currently down, so linking Hacker News instead). As many users just revived a securit notice, it would be helpful to narrow down which projects are affected.

At a first glance it seems that r-lib/covr does not download the bash uploader, so it should NOT be affected, but some users might have possibly received a notification as there seems to be a shared use of API/code that might have lead to false positives:

https://github.com/r-lib/covr/blob/c6d10d9b6ffec0521e49eb5388f5e3a6d47e4bd7/R/codecov.R#L161-L184

  • Could you please confirm that users of covr were not affected?
  • Could you please set-up security policy/advisories (https://github.com/r-lib/covr/security) for future?

Many thanks for your great work!

krassowski avatar Apr 15 '21 13:04 krassowski

Yes, R projects using covr are not affected by this because we do not use the bash uploader.

I also just mentioned this in https://twitter.com/jimhester_/status/1382692471612833796

jimhester avatar Apr 15 '21 13:04 jimhester