problem: Actions runner token is stored with password hash #12443

New issue

Open

opened 2026-05-07 00:09:25 +02:00 by Gusted · 2 comments

Gusted commented 2026-05-07 00:09:25 +02:00 (Migrated from codeberg.org)

Copy link

Does your problem still exist on the latest Forgejo version?

Yes, the problem still exists (tested locally with the latest development version)

About your usage of Forgejo

Co-maintainer of Codeberg.org's Forgejo instance.

Problem description

I took a CPU and trace profile on codeberg.org to check for a weird performance bug, while doing that there was something that caught my eye:

Text Version

             crypto/internal/fips140/sha256.blockAVX2 /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256block_amd64.s:57
             crypto/internal/fips140/sha256.block /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256block_amd64.go:32
             crypto/internal/fips140/sha256.(*Digest).Write /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:179
             crypto/internal/fips140/sha256.(*Digest).checkSum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:227
             crypto/internal/fips140/sha256.(*Digest).Sum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:204
             crypto/internal/fips140/hmac.(*HMAC).Sum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/hmac/hmac.go:61
             golang.org/x/crypto/pbkdf2.Key /home/build/go/pkg/mod/golang.org/x/crypto@v0.49.0/pbkdf2/pbkdf2.go:70
             forgejo.org/models/auth.HashToken /home/build/deploy-15/build/forgejo/models/auth/twofactor.go:127
             forgejo.org/routers/api/actions/runner.init.func1.1 /home/build/deploy-15/build/forgejo/routers/api/actions/runner/interceptor.go:44
             connectrpc.com/connect.NewUnaryHandler[go.shape.8af9c1988d9803e1dd8b92b31ba7697627b6cb5474044bf26f47a0f4bb25d16f,go.shape.3513d525dd26f2821679c3ec21b8318c9b98590927603d0b4814493c1c45df1d].func2 /home/build/go/pkg/mod/connectrpc.com/connect@v1.19.1/handler.go:78
             connectrpc.com/connect.(*Handler).ServeHTTP /home/build/go/pkg/mod/connectrpc.com/connect@v1.19.1/handler.go:333
             code.forgejo.org/forgejo/actions-proto/runner/v1/runnerv1connect.NewRunnerServiceHandler.func1 /home/build/go/pkg/mod/code.forgejo.org/forgejo/actions-proto@v0.7.0/runner/v1/runnerv1connect/services.connect.go:233
[...]

That's way more than it should be.

The relevant code show painfully why it was showing up as taking that much time in the CPU profile:

codeberg.org/forgejo/forgejo@69cf1f3333/routers/api/actions/runner/interceptor.go (L43)

It's run in the interceptor! Thus on every request from the Forgejo Runner to the Forgejo instance, the token is hashed and checked. But hashing is not expensive! But the hash used is pbkdf, which is a hash for passwords (low entropy) and thus slow on purpose:

codeberg.org/forgejo/forgejo@69cf1f3333/models/auth/twofactor.go (L73-L77)

The token has enough entropy to be hashed via SHA256 or blake even.

Potential workarounds

• Deploy codeberg.org/Codeberg-Infrastructure/forgejo@fb4a64f0ac, although seems to not be sufficient with a cache size of 1024 on the scale of Codeberg.

Forgejo Version

v15.0.1

Other details about your environment (software names and versions)

Codeberg runs a soft fork of Forgejo, https://codeberg.org/Codeberg-Infrastructure/forgejo

Solutions

Accepted solutions to address this problem will go here

### Does your problem still exist on the latest Forgejo version? Yes, the problem still exists (tested locally with the latest development version) ### About your usage of Forgejo Co-maintainer of Codeberg.org's Forgejo instance. ### Problem description I took a CPU and trace profile on codeberg.org to check for a weird performance bug, while doing that there was something that caught my eye:  <details><summary>Text Version</summary> ``` crypto/internal/fips140/sha256.blockAVX2 /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256block_amd64.s:57 crypto/internal/fips140/sha256.block /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256block_amd64.go:32 crypto/internal/fips140/sha256.(*Digest).Write /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:179 crypto/internal/fips140/sha256.(*Digest).checkSum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:227 crypto/internal/fips140/sha256.(*Digest).Sum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/sha256/sha256.go:204 crypto/internal/fips140/hmac.(*HMAC).Sum /home/build/deploy-15/build/go-1.26.2/go/src/crypto/internal/fips140/hmac/hmac.go:61 golang.org/x/crypto/pbkdf2.Key /home/build/go/pkg/mod/golang.org/x/crypto@v0.49.0/pbkdf2/pbkdf2.go:70 forgejo.org/models/auth.HashToken /home/build/deploy-15/build/forgejo/models/auth/twofactor.go:127 forgejo.org/routers/api/actions/runner.init.func1.1 /home/build/deploy-15/build/forgejo/routers/api/actions/runner/interceptor.go:44 connectrpc.com/connect.NewUnaryHandler[go.shape.8af9c1988d9803e1dd8b92b31ba7697627b6cb5474044bf26f47a0f4bb25d16f,go.shape.3513d525dd26f2821679c3ec21b8318c9b98590927603d0b4814493c1c45df1d].func2 /home/build/go/pkg/mod/connectrpc.com/connect@v1.19.1/handler.go:78 connectrpc.com/connect.(*Handler).ServeHTTP /home/build/go/pkg/mod/connectrpc.com/connect@v1.19.1/handler.go:333 code.forgejo.org/forgejo/actions-proto/runner/v1/runnerv1connect.NewRunnerServiceHandler.func1 /home/build/go/pkg/mod/code.forgejo.org/forgejo/actions-proto@v0.7.0/runner/v1/runnerv1connect/services.connect.go:233 [...] ``` </details> That's way more than it should be. The relevant code show painfully why it was showing up as taking that much time in the CPU profile: https://codeberg.org/forgejo/forgejo/src/commit/69cf1f3333cdb420dca6d07d74b5e0269c428057/routers/api/actions/runner/interceptor.go#L43 It's run in the interceptor! Thus on every request from the Forgejo Runner to the Forgejo instance, the token is hashed and checked. But hashing is not expensive! But the hash used is pbkdf, which is a hash for passwords (low entropy) and thus slow on purpose: https://codeberg.org/forgejo/forgejo/src/commit/69cf1f3333cdb420dca6d07d74b5e0269c428057/models/auth/twofactor.go#L73-L77 The token has enough entropy to be hashed via SHA256 or blake even. ### Potential workarounds - Deploy https://codeberg.org/Codeberg-Infrastructure/forgejo/commit/fb4a64f0ac26d337f783acc147e8026424aa4aad, although seems to not be sufficient with a cache size of 1024 on the scale of Codeberg. ### Forgejo Version v15.0.1 ### Other details about your environment (software names and versions) Codeberg runs a soft fork of Forgejo, https://codeberg.org/Codeberg-Infrastructure/forgejo ### Solutions *Accepted solutions to address this problem will go here*

Gusted commented 2026-05-07 00:13:55 +02:00 (Migrated from codeberg.org)

Copy link

Tagging this as good first issue, and loosely related to actions. The way to fix this is straight forward IMO and happy to take a new contributor as a way to explore the codebase.

Tagging this as good first issue, and loosely related to actions. The way to fix this is straight forward IMO and happy to take a new contributor as a way to explore the codebase.

vagonzal commented 2026-05-07 17:15:32 +02:00 (Migrated from codeberg.org)

Copy link

Happy to take this issue

Happy to take this issue

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

forgejo

bp-v15.0/forgejo-49f9cc7

v15.0/forgejo

v11.0/forgejo

renovate/forgejo-postcss

renovate/forgejo-github.com-fsnotify-fsnotify-1.x

renovate/forgejo-github.com-alecthomas-chroma-v2-2.x

renovate/forgejo-github.com-go-webauthn-webauthn-0.x

v14.0/forgejo

bp-v15.0/forgejo-2176403

bp-v14.0/forgejo-9767ceb

bp-v14.0/forgejo-d996dfb

v13.0/forgejo

bp-v13.0/forgejo-dc0a63e

bp-v13.0/forgejo-e7ef2eb

v12.0/forgejo

bp-v12.0/forgejo-cf1fda8-a511e37

bp-v11.0/forgejo-b52cec7

v7.0/forgejo

v10.0/forgejo

v9.0/forgejo

v8.0/forgejo

v1.21/forgejo

v1.20/forgejo

v1.19/forgejo

v1.18/forgejo

v1.17/forgejo

v14.0.5

v15.0.1

v11.0.13

v15.0.0

v14.0.4

v11.0.12

v16.0.0-dev

v14.0.3

v11.0.11

v14.0.2

v14.0.1

v13.0.5

v11.0.10

v14.0.0

v13.0.4

v11.0.9

v15.0.0-dev

v13.0.3

v11.0.8

v11.0.7

v13.0.2

v13.0.1

v13.0.0

v14.0.0-dev

v11.0.6

v12.0.4

v12.0.3

v11.0.5

v11.0.4

v12.0.2

v12.0.1

v12.0.0

v7.0.16

v11.0.3

v13.0.0-dev

v11.0.2

v7.0.15

v11.0.1

v11.0.0

v12.0.0-dev

v10.0.3

v10.0.2

v7.0.14

v7.0.13

v10.0.1

v10.0.0

v11.0.0-dev

v9.0.3

v7.0.12

v7.0.11

v9.0.2

v9.0.1

v7.0.10

v9.0.0

v10.0.0-dev

v8.0.3

v7.0.9

v8.0.2

v7.0.8

v8.0.1

v7.0.7

v7.0.6

v8.0.0

v9.0.0-dev

v7.0.5

v1.21.11-2

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v1.21.11-1

v1.21.11-0

v1.21.10-0

v8.0.0-dev

v1.21.8-0

v1.21.7-0

v1.21.6-0

v1.21.5-0

v1.21.4-0

v1.21.3-0

v1.20.6-1

v1.21.2-1

v1.21.2-0

v1.21.1-0

v1.20.6-0

v1.20.5-1

v1.21.0-rc2

v1.21.0-rc1

v1.20.5-0

v7.0.0-dev

v1.21.0-rc0

v1.20.4-1

v1.20.4-0

v1.20.3-0

v1.20.2-0

v1.20.1-0

v1.20.0

v1.19.4-0

v1.21.0-dev

v1.20.0-rc2

v1.19.3-0

v1.19.2-0

v1.19.1-0

v1.19.0-3

v1.19.0-2

v1.18.5-0

v1.20.0-dev

v1.19.0-rc0

v1.18.3-2

v1.18.3-1

v1.18.3-0

v1.18.2-1

v1.18.2-0

v1.18.1-0

v1.18.0-1

v1.18.0-0

v1.18.0-rc1-2

v1.18.0-rc1-1

v1.18.0-rc1

v1.18.0-rc0

v1.19.0-dev

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/forgejo#12443

No description provided.