Report a potential risk of secret leakage in project(barbican)
Dear developers of the project(barbican), We are software security researchers, currently conducting research on secret detection and leakage risk within the open-source ecosystem. In our analysis, we identified potential secret leakage risks in your project, barbican. We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data: { 'file': '', #The file containing the secret #The project name, version or commit_hash may be reflected in the file path 'line_start': 1, #location: Start line of the secret 'line_end': 28, #location: End line of the secret 'col_start': 1, #location: Start column of the secret 'col_end': 1, #location: End column of the secret 'index_start': 0, #location: Start index of the secret 'index_end': 1675, #location: End index of the secret } Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. we plan to publish related research papers in the future, and the relevant content MIGHT BE ACCESS TO THE PUBLIC due to the 90-day disclosure policy. Some advise: 1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately. 2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds. Best regards,
Just a heads up that I approved all of these posts through moderation in the interest of transparency (the authors were not subscribers to the list and so their posts were automatically held). I personally inspected each every report before approving, and have confirmed that every recorded instance is either of test vectors or examples in code comments, and in the case of the cinder and manila repos some drivers have fallback or placeholder credential values for communicating with certain devices/protocols. None of these appears to represent any exploitable risk, but if contributors want to take this as an opportunity to add further code comments stating this, I suppose it might help avoid similar confusion in the future. If this sort of reporting continues, list moderators may begin to reject further posts on the grounds that it's noise and not contributing useful information to our community. -- Jeremy Stanley
On Tue, 2024-08-13 at 13:11 +0000, Jeremy Stanley wrote:
Just a heads up that I approved all of these posts through moderation in the interest of transparency (the authors were not subscribers to the list and so their posts were automatically held).
I personally inspected each every report before approving, and have confirmed that every recorded instance is either of test vectors or examples in code comments, and in the case of the cinder and manila repos some drivers have fallback or placeholder credential values for communicating with certain devices/protocols.
None of these appears to represent any exploitable risk, but if contributors want to take this as an opportunity to add further code comments stating this, I suppose it might help avoid similar confusion in the future.
Thanks for your diligence here, i was concerned they were public disclosures of a security vulnerability to the list which would obviously be very damaging to the comuinty and users alike.
If this sort of reporting continues, list moderators may begin to reject further posts on the grounds that it's noise and not contributing useful information to our community.
in its current form i woudl agree this is already a little spam but not teribly so. it would have been better fi they filed a singel bug and added all affected projec or included the project [nova] header in the subject. if this was an actual vulnerably then our normal process of reporting security issues should have been followed.
On 2024-08-13 14:33:48 +0100 (+0100), smooney@redhat.com wrote: [...]
in its current form i woudl agree this is already a little spam but not teribly so.
it would have been better fi they filed a singel bug and added all affected projec or included the project [nova] header in the subject.
if this was an actual vulnerably then our normal process of reporting security issues should have been followed.
Yes, to be clear, if any of them looked like they contained an exploitable risk I would have rejected that ML post and opened a private security bug for the corresponding project with the relevant information. -- Jeremy Stanley
participants (3)
-
Jeremy Stanley
-
jiawei_zhou@seu.edu.cn
-
smooney@redhat.com