Runner registrations does not use full secret #135

New issue

Open

opened 2023-12-17 04:31:19 +00:00 by sdolan99 · 2 comments

sdolan99 commented

2023-12-17 04:31:19 +00:00

Example:

$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7a
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7b
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7c
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7d
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7e

And if the runner connects, subsequent registrations result in a duplicate runner error. For example:

$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f8
Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid'
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f9
Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid'

Expected:
New UUID for a new secret, whether or not a runner actually connects to the server with that secret.

Problem: When trying to register different runners using a secret with a single character difference, forgejo returns the same UUID for each runner. If the runner connected, a duplicate error message is shown. Example: ``` $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7a 31616161-6636-3363-3337-363333303930b23cbf0e0b5d $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7b 31616161-6636-3363-3337-363333303930b23cbf0e0b5d $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7c 31616161-6636-3363-3337-363333303930b23cbf0e0b5d $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7d 31616161-6636-3363-3337-363333303930b23cbf0e0b5d $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7e ``` And if the runner connects, subsequent registrations result in a duplicate runner error. For example: ``` $ forgejo forgejo-cli actions register --name docker-runner --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f8 Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid' $ forgejo forgejo-cli actions register --name docker-runner --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f9 Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid' ``` Expected: New UUID for a new secret, whether or not a runner actually connects to the server with that secret.

earl-warren commented

2023-12-17 11:36:27 +00:00

Owner

Example:

$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7a
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7b
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7c
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7d
31616161-6636-3363-3337-363333303930b23cbf0e0b5d
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7e

And if the runner connects, subsequent registrations result in a duplicate runner error. For example:

$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f8
Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid'
$ forgejo forgejo-cli actions register --name docker-runner  --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f9
Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid'

Expected:
New UUID for a new secret, whether or not a runner actually connects to the server with that secret.

Yes, it only uses part of the secret to create the UUID, which can lead to collision. The odds of such a collision happening is negligible if the secret is generated from a random source. But, as you discovered, it is easy to create such collisions with manually generated secrets.

> Problem: > When trying to register different runners using a secret with a single character difference, forgejo returns the same UUID for each runner. If the runner connected, a duplicate error message is shown. > > > Example: > ``` > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7a > 31616161-6636-3363-3337-363333303930b23cbf0e0b5d > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7b > 31616161-6636-3363-3337-363333303930b23cbf0e0b5d > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7c > 31616161-6636-3363-3337-363333303930b23cbf0e0b5d > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7d > 31616161-6636-3363-3337-363333303930b23cbf0e0b5d > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aaaf63c37633090db2eb0e8d1ec5520836c8b7e > ``` > And if the runner connects, subsequent registrations result in a duplicate runner error. For example: > > ``` > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f8 > Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid' > $ forgejo forgejo-cli actions register --name docker-runner --secret 1aef63c37633090db2eb0e8d1ec5520836c8b7f9 > Command error: error while registering runner: can't create new runner Error 1062 (23000): Duplicate entry '31616566-3633-6333-3736-333330393064' for key 'action_runner.UQE_action_runner_uuid' > ``` > > Expected: > New UUID for a new secret, whether or not a runner actually connects to the server with that secret. Yes, it only uses part of the secret to create the UUID, which can lead to collision. The odds of such a collision happening is negligible if the secret is generated from a random source. But, as you discovered, it is easy to create such collisions with manually generated secrets.

earl-warren added the

Kind/Documentation

label 2023-12-17 11:36:45 +00:00

earl-warren commented

2023-12-17 11:37:47 +00:00

Owner

Although it is a border case, it would be worth mentioning in the documentation, somewhere at https://forgejo.org/docs/v1.21/admin/actions/#registration maybe?