[Security Advisory]: Default self-hosted config exposes database #4
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package and Versions
File: https://github.com/codecov/self-hosted/blob/main/docker-compose.yml#L78
Description
It's possible to self-host Codecov using the example configuration shared via the self-hosted repository. When reviewing the default docker-compose setup it turns out to do so in an insecure way by exposing the main database, the MinIO buckets as well as the timescale database.
Impact
The default docker-compose setup uses a less than insecure default configuration by exposing the main database, the MinIO buckets, as well as the timescale database.
Patches
Fixed and merged as a result of 2024 pentest.
Codecov Cloud: Not applicable
Codecov Self-Hosted: See: codecov/self-hosted#36
If you are using our repo directly, you can pull main and restart. If you have diverged from our repo, just update the ports and restart.
Workarounds
Disclaimer
With regard to the default config: this is meant for a quick POC or example of how to run Codecov. This configuration is not hardened for security and any usage is at your own risk. Default database credentials are included in the docker compose config. At a minimum, this should be updated at a minimum before wider usage. The minio bucket is also exposed via the docker compose. This is needed for Codecov to function locally. While no secret data is stored in this bucket, it is still recommended to make this private and interface with storage via presigned urls. This necessitates using a storage backend such as S3 or GCS.
CVSS 3.1 Score and Vector
Information
Credit: Issue found by Cure53 during 2024 pentest
The text was updated successfully, but these errors were encountered: