You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow:
- name: Checkout Project
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
Checks out the PR, which may contain malicious data.
Then it runs yarn, which uses local data, and may lead to RCE:
- name: Install Dependencies
run: yarn
Expected behavior
May consider not using the pull_request action or a different flow to invoke yarn.
Screenshots
If applicable, add screenshots to help explain your problem.
Platform (please complete the following information):
OS: Linux platforms
Browser independent
Version independed
Additional context
No additional context but refer to the github best practices
The text was updated successfully, but these errors were encountered:
Describe the bug
The pull-request.yml is vulnerable to RCE via a malicious PR
https://github.com/webex/webex-js-sdk/blob/next/.github/workflows/pull-request.yml
See more information in the github blog
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
To Reproduce
Steps to reproduce the behavior:
While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow:
- name: Checkout Project
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
Checks out the PR, which may contain malicious data.
Then it runs yarn, which uses local data, and may lead to RCE:
- name: Install Dependencies
run: yarn
Expected behavior
May consider not using the pull_request action or a different flow to invoke yarn.
Screenshots
If applicable, add screenshots to help explain your problem.
Platform (please complete the following information):
Additional context
No additional context but refer to the github best practices
The text was updated successfully, but these errors were encountered: