[New-bugs-announce] [issue43982] Code coverage on the CI: validate codecov shell script checksum
STINNER Victor
report at bugs.python.org
Thu Apr 29 19:36:48 EDT 2021
New submission from STINNER Victor <vstinner at python.org>:
Currently, GitHub Action and Travis CI run a codecov bash downloaded from https://codecov.io/bash without validating it.
The script was recently compromised:
https://about.codecov.io/security-update/
We should validate the shell script integrity by checking its checksum. Example from the documentation:
-------------
curl -s https://codecov.io/bash > codecov;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") ||
shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done
-------------
See: https://docs.codecov.io/docs/about-the-codecov-bash-uploader
----------
components: Tests
messages: 392362
nosy: vstinner
priority: normal
severity: normal
status: open
title: Code coverage on the CI: validate codecov shell script checksum
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43982>
_______________________________________
More information about the New-bugs-announce
mailing list