Let's Hack a Pipeline: Stealing Another Repo

Let's Hack a Pipeline: Stealing Another Repo

We’re back with another Let’s Hack a Pipeline. Last time, we saw how to create – and prevent – argument injection. In this episode, we’ll look at how a malicious user could access source code they shouldn’t see. Welcome to Episode II: Stealing Another Repo.

We’re back with another Let’s Hack a Pipeline. Last time, we saw how to create – and prevent – argument injection. In this episode, we’ll look at how a malicious user could access source code they shouldn’t see. Welcome to Episode II: Stealing Another Repo.

As I said before: security is a shared responsibility. The purpose of this series is to showcase some pitfalls to help you avoid them. I can’t possibly cover every single angle, and examples have been simplified to make the point.

The setup

In a large company, there are probably some code repos I’m not allowed to see. Even inside Microsoft, which has a pretty open culture, someone from Game Studio A usually can’t see what Game Studio B is working on. But their build system can!

Let’s say we’ve got two team projects inside one Azure DevOps organization. Each of those projects has one or more Git repos. And let’s say I’m on the Popular FPS Game team, which has a daily CI pipeline for our upcoming release, “Popular FPS Game: Sequel”.

The fabrikam-game-studios organization has these objects:

  • Project: Popular FPS Game
  • Repo: popular-fps-game
  • Repo: popular-fps-game-sequel
  • Pipeline: sequel-ci
  • Project: Beautiful Racing Game
  • Repo: beautiful-racing-game
## sequel-ci.yml
pool: { vmImage: ubuntu-latest }

steps:
- script: |
    make game
    make test

azure & cloud cloud cloud computing

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Multi-cloud Spending: 8 Tips To Lower Cost

Mismanagement of multi-cloud expense costs an arm and leg to business and its management has become a major pain point. Here we break down some crucial tips to take some of the management challenges off your plate and help you optimize your cloud spend.

What are the benefits of cloud migration? Reasons you should migrate

To move or not to move? Benefits are multifold when you are migrating to the cloud. Get the correct information to make your decision, with our cloud engineering expertise.

Azure Compute: Common resources

Azure compute is an on-demand service for running cloud-based apps. Azure compute provides an on-demand infrastructure to help you run your app.

Clearing the air by debunking The Myths associated with Cloud Computing

Cloud computing is a one-stop solution to what can be the biggest problems for businesses in the future, i.e., storage of data. Therefore, whether your company belongs to the private or public sector, you should consider including cloud computing...

Best Cloud Computing (AWS) Development Company

Develop highly scalable apps on Amazon Cloud Services in India. Mobile App Development India Offers Amazon cloud web services (AWS) for app development, database storage solution, hosting solution etc.