I am red teaming for my employer (Teleport) and one of our findings is:
Compromising our self hosted Drone database allows harvesting users’ Github oauth tokens. From those, I can clone private repos that have nothing to do with our organization, but instead reside under individual employees accounts. For example:
> select user_oauth_token from users where user_login='wadells'; gho_ID...
Allows me to do the following:
$ git clone https://gho_ID...@github.com/wadells/ctf.git
Where wadells/ctf is private and has nothing to do with my employer. As an open source security company, this is something we’re pretty deeply uncomfortable with – we hire active OSS contributors and don’t want employment with us and use of Drone to compromise their personal security.
We’d like to request the ability for self hosted Drone Enterprise to connect to GitHub via GitHub Apps:
This has several advantages:
- We’re able to limit blast radius to only the org repositories we want to run CI on
- It avoids situations like Drone stopped working after the admin user was removed from repo
In the interim, we’re looking at dedicated users solely for drone, but that has a greater burden of user management, or removes our employees ability to e.g. retrigger builds or interact with private repos.
Thanks for your time and consideration!