Runner registrations does not use full secret #135
Labels
No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo/runner#135
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem:
When trying to register different runners using a secret with a single character difference, forgejo returns the same UUID for each runner. If the runner connected, a duplicate error message is shown.
Example:
And if the runner connects, subsequent registrations result in a duplicate runner error. For example:
Expected:
New UUID for a new secret, whether or not a runner actually connects to the server with that secret.
Yes, it only uses part of the secret to create the UUID, which can lead to collision. The odds of such a collision happening is negligible if the secret is generated from a random source. But, as you discovered, it is easy to create such collisions with manually generated secrets.
Although it is a border case, it would be worth mentioning in the documentation, somewhere at https://forgejo.org/docs/v1.21/admin/actions/#registration maybe?
Runner registrations seem to not use full secretto Runner registrations does not use full secret