From 6fe5c6e35f53262439db9b72d8be306a24a6c575 Mon Sep 17 00:00:00 2001 From: vkallesh Date: Mon, 29 Jun 2026 14:55:32 +0000 Subject: [PATCH] [CI][Security] ROCM-26573: Move secrets from argv to environment variables Fix for ROCM-26573 - Plaintext HTTP Auth Token Transmission and Secrets Exposed on Process argv Issue: buildbot-psdb-trigger.yml and compute-rocm-dkmd-afar-trigger.yml pass secrets directly on the shell command line (argv), making them visible to any process that can read /proc//cmdline or tools like ps, top, htop. Additionally, Buildbot API calls used HTTP instead of HTTPS, exposing credentials to network observers. Impact: Secrets (BUILDBOT_USER, BUILDBOT_PWD, CI_JENKINS_TOKEN) are visible in process listings, shell history, and system monitoring tools. HTTP transmission allows MITM attacks and credential interception. Fix: 1. Move all secrets from argv to env: blocks 2. Pass secrets to docker containers via -e flags 3. Access secrets via $ENV_VAR in shell, os.environ in Python 4. Change all Buildbot HTTP URLs to HTTPS (lines 86, 93) 5. Remove echo of BUILDBOT_HOST:PORT (information disclosure) Files modified: - .github/workflows/buildbot-psdb-trigger.yml * Moved BUILDBOT_USER, BUILDBOT_PWD, BUILDBOT_HOST, BUILDBOT_WORKER_PORT to env: * Changed http:// to https:// for Buildbot API calls * Removed echo of secrets - .github/workflows/compute-rocm-dkmd-afar-trigger.yml * Moved CI_JENKINS_USER, ROCM_JENKINS_CI_TOKEN to env: * Access via os.environ[] instead of workflow substitution --- .github/workflows/buildbot-psdb-trigger.yml | 36 ++++++++++++++++--- .../compute-rocm-dkmd-afar-trigger.yml | 21 ++++++++--- 2 files changed, 47 insertions(+), 10 deletions(-) diff --git a/.github/workflows/buildbot-psdb-trigger.yml b/.github/workflows/buildbot-psdb-trigger.yml index 471fd4001ae84..fc9aaff9f0594 100644 --- a/.github/workflows/buildbot-psdb-trigger.yml +++ b/.github/workflows/buildbot-psdb-trigger.yml @@ -47,9 +47,35 @@ jobs: shell: python3 {0} - name: Trigger Buildbot Build - run: | - echo "${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_WORKER_PORT }}" - docker exec -e PR_TITLE="$PR_TITLE" "${{env.CONTAINER_NAME}}" /bin/bash -c 'buildbot sendchange -W ${{ secrets.BUILDBOT_USER }} -a ${{secrets.BUILDBOT_USER}}:${{secrets.BUILDBOT_PWD}} --master="${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_WORKER_PORT }}" --branch=${{ env.BASE_BRANCH }} --revision=${{ env.PR_SHA }} -p PR_NUMBER:${{ env.PR_NUMBER }} -p PR_TITLE:"$PR_TITLE" -p PR_URL:${{ env.PR_URL }} -p SHA:${{ env.PR_SHA }}' + env: + BUILDBOT_USER: ${{ secrets.BUILDBOT_USER }} + BUILDBOT_PWD: ${{ secrets.BUILDBOT_PWD }} + BUILDBOT_HOST: ${{ secrets.BUILDBOT_HOST }} + BUILDBOT_WORKER_PORT: ${{ secrets.BUILDBOT_WORKER_PORT }} + run: | + docker exec \ + -e BUILDBOT_USER \ + -e BUILDBOT_PWD \ + -e BUILDBOT_HOST \ + -e BUILDBOT_WORKER_PORT \ + -e BASE_BRANCH="${{ env.BASE_BRANCH }}" \ + -e PR_SHA="${{ env.PR_SHA }}" \ + -e PR_NUMBER="${{ env.PR_NUMBER }}" \ + -e PR_TITLE="$PR_TITLE" \ + -e PR_URL="${{ env.PR_URL }}" \ + "${{env.CONTAINER_NAME}}" \ + /bin/bash -c ' + buildbot sendchange \ + -W "$BUILDBOT_USER" \ + -a "$BUILDBOT_USER:$BUILDBOT_PWD" \ + --master="$BUILDBOT_HOST:$BUILDBOT_WORKER_PORT" \ + --branch="$BASE_BRANCH" \ + --revision="$PR_SHA" \ + -p PR_NUMBER:"$PR_NUMBER" \ + -p PR_TITLE:"$PR_TITLE" \ + -p PR_URL:"$PR_URL" \ + -p SHA:"$PR_SHA" + ' - name: Set Initial Status to Pending run: | @@ -83,14 +109,14 @@ jobs: import time import requests GITHUB_TOKEN = os.getenv('GITHUB_TOKEN') - BUILD_URL = 'http://${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_MASTER_PORT }}/api/v2/builds' + BUILD_URL = 'https://${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_MASTER_PORT }}/api/v2/builds' TARGET_SHA = os.getenv('PR_SHA') print('debug', TARGET_SHA) MAX_RETRIES = 10 RETRY_INTERVAL = 30 # seconds def get_build_properties(build_id): - build_properties_url = f'http://${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_MASTER_PORT }}/api/v2/builds/{build_id}/properties' + build_properties_url = f'https://${{ secrets.BUILDBOT_HOST }}:${{ secrets.BUILDBOT_MASTER_PORT }}/api/v2/builds/{build_id}/properties' response = requests.get(build_properties_url, headers={'Accept': 'application/json', 'Authorization': f'token {GITHUB_TOKEN}'}) return response.json() diff --git a/.github/workflows/compute-rocm-dkmd-afar-trigger.yml b/.github/workflows/compute-rocm-dkmd-afar-trigger.yml index c44027fc3474f..08ce63652b652 100644 --- a/.github/workflows/compute-rocm-dkmd-afar-trigger.yml +++ b/.github/workflows/compute-rocm-dkmd-afar-trigger.yml @@ -26,16 +26,27 @@ jobs: docker exec "${{env.CONTAINER_NAME}}" /bin/bash -c "echo 'Running commands inside the container'" - name: Trigger compute-rocm-dkms-afar job + env: + JENKINS_USER: ${{ secrets.CI_JENKINS_USER }} + JENKINS_TOKEN: ${{ secrets.ROCM_JENKINS_CI_TOKEN }} + JENKINS_HOST: ${{ secrets.ROCM_JENKINS_HOST }} + JENKINS_JOB: ${{ secrets.ROCM_JENKINS_OSDB_JOB }} run: | - docker exec "${{env.CONTAINER_NAME}}" /bin/bash -c "python -c \" + docker exec \ + -e JENKINS_USER \ + -e JENKINS_TOKEN \ + -e JENKINS_HOST \ + -e JENKINS_JOB \ + "${{env.CONTAINER_NAME}}" /bin/bash -c "python -c \" import requests import time + import os from requests.auth import HTTPBasicAuth - jenkins_user = '${{ secrets.CI_JENKINS_USER }}' - jenkins_token = '${{ secrets.ROCM_JENKINS_CI_TOKEN }}' - jenkins_host = '${{ secrets.ROCM_JENKINS_HOST }}' - jenkins_job = '${{ secrets.ROCM_JENKINS_OSDB_JOB }}' + jenkins_user = os.environ['JENKINS_USER'] + jenkins_token = os.environ['JENKINS_TOKEN'] + jenkins_host = os.environ['JENKINS_HOST'] + jenkins_job = os.environ['JENKINS_JOB'] jenkins_url = f'{jenkins_host}/job/{jenkins_job}/buildWithParameters'