Glad to see a few more security knobs on actions these days!
This article lends some credibility to that notion.
From everything I know about pentesting, they should have stopped before doing this, right? From https://hackerone.com/aws_vdp?type=team :
> You may only interact with accounts you own or with explicit written permission from AWS or the account owner
This is oftentimes political. The CISO wants additional budget for secure coding training and to hire more security engineers, let the pentesting firm demonstrate a massive compromise and watch the dollars roll in.
A lot of time, especially in smaller companies, it's the opposite. No one is responsible for security and customers demand some kind of audit. "Don't touch anything we don't authorize and don't do anything that might impact our systems without explicit permissions."
Wiz is a very prominent cloud security company who probably has incredibly lucrative contracts with AWS already, and their specialty, as I understand it, is identifying full "kill chains" in cloud environments. From access issues all the way to compromise of sensitive assets.
chuckadams•3w ago
Said tokens didn't have admin access, but had enough privileges to invite other users to become full admins. Not sure if they were rotated, but github tokens are usually long-lived, like up to a year. Hey, isn't AWS the one always lecturing us to use temporary credentials? To be fair, AWS did more than just fix the regex, they introduced an "approve workflow run" UI unto the PR process that I think GH is also using now (not sure about that).
cyberax•3w ago
Ah... Github permissions. What fun.
Github actually has a way to federate with AWS for short-lived credentials, but then it screws everything up by completely half-assing the ghcr.io implementation. It's only available using the old deprecated classic access tokens.
catlifeonmars•3w ago
fowl2•2w ago
cyberax•2w ago
Obviously, GitHub needs to just fix this nonsense. But I interviewed a couple of "senior" engineers from GitHub, and I have zero hope of that happening soon.
bflesch•3w ago
chuckadams•3w ago
catlifeonmars•3w ago
maxbond•3w ago
catlifeonmars•3w ago
catlifeonmars•2w ago
> I tossed out some tests that were asserting they could index a list at `foo.len()` instead of `foo.len() - 1`.
SkiFire13•3w ago
TacticalCoder•3w ago
Regexpes for security allow lists: what could possibly every go wrong uh!?
whatever1•3w ago
pxc•3w ago
That said, what this regex wanted to be was obviously just a list. AWS should offer simpler abstractions (like lists) where they make sense.
catlifeonmars•3w ago
Agree. I would understand if there was some obvious advantage here, but it doesn’t really seem like there is a dimension here where regex has an advantage over a list. It’s (1) harder to implement, (2) harder to review, (3) much harder to test comprehensively, (4) harder for users to use (correctly/safely).
twoodfin•3w ago
Wrong tradeoff, to be sure.
bink•3w ago
edoceo•3w ago
SkiFire13•3w ago
ruined•3w ago
chuckadams•3w ago