{"id":2374,"date":"2018-09-11T08:29:17","date_gmt":"2018-09-11T15:29:17","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2374"},"modified":"2018-09-12T08:56:59","modified_gmt":"2018-09-12T15:56:59","slug":"protecting-mozillas-github-repositories-from-malicious-modification","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/09\/11\/protecting-mozillas-github-repositories-from-malicious-modification\/","title":{"rendered":"Protecting Mozilla\u2019s GitHub Repositories from Malicious Modification"},"content":{"rendered":"

At Mozilla, we\u2019ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident<\/a> demonstrated, such attacks are possible.<\/p>\n

Mozilla\u2019s original usage of GitHub was an alternative way to provide access to our source code. Similar to Gentoo, the \u201csource of truth\u201d repositories were maintained on our own infrastructure. While we still do utilize our own infrastructure for much of the Firefox browser code, Mozilla has many projects which exist only on GitHub. While some of those project are just experiments, others are used in production (e.g. Firefox Accounts<\/a>). We need to protect such \u201csensitive repositories\u201d against malicious modification, while also keeping the barrier to contribution as low as practical.<\/p>\n

This describes the mitigations we have put in place to prevent shipping (or deploying) from a compromised repository. We are sharing both our findings and some tooling<\/a> to support auditing. These add the protections with minimal disruption to common GitHub workflows.<\/p>\n

The risk we are addressing here is the compromise of a GitHub user\u2019s account, via mechanisms unique to GitHub. As the Gentoo and other incidents show, when a user account is compromised, any resource the user has permissions to can be affected.<\/p>\n

Overview<\/h2>\n

GitHub is a wonderful ecosystem with many extensions, or \u201capps\u201d, to make certain workflows easier. Apps obtain permission from a user to perform actions on their behalf. An app can ask for permissions including modifying or adding additional user credentials. GitHub makes these permission requests transparent, and requires the user to approve via the web interface, but not all users may be conversant with the implications of granting those permissions to an app. They also may not make the connection that approving such permissions for their personal repositories could grant the same for access to any repository across GitHub where they can make changes.<\/p>\n

Excessive permissions can expose repositories with sensitive information to risks, without the repository admins being aware of those risks. The best a repository admin can do is detect a fraudulent modification after it has been pushed back to GitHub. Neither GitHub nor git can be configured to prevent or highlight this sort of malicious modification; external monitoring is required.<\/p>\n

Implementation<\/h2>\n

The following are taken from our approach<\/a> to addressing this concern, with Mozilla specifics removed. As much as possible, we borrow from the web\u2019s best practices, used features of the GitHub platform, and tried to avoid adding friction to the daily developer workflows.<\/p>\n

Organization recommendations:<\/h3>\n