Codemagic CI/CD
A vulnerability was discovered in public repositories, enabling forked project to access secret variables in their parent projects #2917
Closed
mikhail-tokarev
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
A vulnerability was identified in Codemagic projects hosted on public Git repositories. When configured to automatically run builds on pull requests and share secure environment variables with the workflow, an attacker could exploit the issue by forking the public repository and modifying the source code to access those secure environment variables. This issue has since been resolved.
Resolution
On public Git repositories, arbitrary users are generally allowed to create forks and submit pull requests. These users may be from outside your organization and are generally considered untrusted for the purpose of running automated builds.
In such cases, all builds triggered by outside contributors will run without access to secure environment variables. To help identify these builds and enforce access restrictions, Codemagic provides explicit debug information in the "Preparing build machine" step logs.
If you have any questions or concerns, don’t hesitate to contact us.
History
2025 January 6: The vulnerability was fully resolved.
2024 December 24: A hotfix was applied to prevent triggering new builds from forked repositories when using secret variables.
2024 December 24: The vulnerability was reported by a Codemagic user.
Beta Was this translation helpful? Give feedback.
All reactions