Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Action pull-request.yml possibly vulnerable to RCE #3699

Open
nickleali opened this issue Jul 10, 2024 · 0 comments
Open

Action pull-request.yml possibly vulnerable to RCE #3699

nickleali opened this issue Jul 10, 2024 · 0 comments
Assignees
Labels
bug Bug

Comments

@nickleali
Copy link

Describe the bug
The pull-request.yml is vulnerable to RCE via a malicious PR

https://github.com/webex/webex-js-sdk/blob/next/.github/workflows/pull-request.yml

See more information in the github blog
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

To Reproduce
Steps to reproduce the behavior:

While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow:
- name: Checkout Project
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}

Checks out the PR, which may contain malicious data.
Then it runs yarn, which uses local data, and may lead to RCE:
- name: Install Dependencies
run: yarn

Expected behavior
May consider not using the pull_request action or a different flow to invoke yarn.

Screenshots
If applicable, add screenshots to help explain your problem.

Platform (please complete the following information):

  • OS: Linux platforms
  • Browser independent
  • Version independed

Additional context
No additional context but refer to the github best practices

@nickleali nickleali added the bug Bug label Jul 10, 2024
@sreenara sreenara self-assigned this Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug
Projects
None yet
Development

No branches or pull requests

2 participants