Between September 3 and 10, the public open source repositories that made use of the Travis CI tool they were exposing your passwords, credentials, and tokens to potential theft. Ethereum developer Felix Lange discovered the vulnerability on the 7th and sounded the alarm to those responsible for the platform.
And, although this one has already been patched, the Ethereum team now claims that they had to pressure those responsible of Travis CI to take action, and that – after doing so – the situation was not properly explained to the rest of affected users. According stated on Twitter,
“After three days being pressured by multiple projects, @travisci quietly patched the issue on the 10th. [No se ha llevado a cabo] no analysis, no security report, no autopsy, no warning to any of its users that their secrets might have been stolen. “
Finally, Travis CI has publicly admitted the vulnerability (classified as CVE-2021-41077), while downplaying its importance:
“Based on the information received, a public repository forked from another could submit a pull request and, by doing so, gain unauthorized access to the secret data in the original repository. In this scenario, that data is still encrypted in the database from Travis CI. The problem only applies to public repositories, not private repositories. “
The Travis CI security bulletin takes the opportunity to remind us that “changing your passwords from time to time is something that all users should do”
Szilágyi, leader of Ethereum, points out in statements to The Register and Ars Technica that, as much as the secret keys remain encrypted while they remain on the disk in Travis,
“Once compilation starts, Travis decrypts them and injects them into compilations in the form of environment variables.”
“[Pero] In external code, such variables should not be inserted, since the maintainer has no control over the code sent by people outside the project. The problem was that they screwed up something and ended up injecting the secret keys into builds that weren’t trustworthy“.
Szilágyi, disappointed with the attitude of the platform, already has recommended developers to consider looking for an alternative to Travis CI, so that they “transfer their projects away from Travis immediately and indefinitely.”
What exactly does Travis CI offer?
Travis CI is a distributed generation and continuous integration platform, which means that it allows us to connect to our Git repository (hosted on Github or Bitbucket) and clone it to carry out tests in new virtual environments, with different configurations, after each ‘push’ performed, regenerating the project.
If none of the tests performed through Travis CI fail, is considered a successful build and is ready for deployment on the corresponding host or web server.