![]() If you want to check if you are using a broad default permission for your workflow tokens, you can go to the repository (or organization) settings→actions and check the “Workflow permissions” section: However, a significant number of workflows still use a write-all token due to grandfathered default workflow permission settings in older repositories. In 2021, GitHub introduced a more fine grained permission model for workflow tokens and, today, the default permissions for new repositories and organizations are set to read-only. These tokens originally had a very broad set of permissions with full read and write access to the repository (except for pull requests from forks). Every GitHub workflow receives a temporary repository access token ( GITHUB_TOKEN). The impact of an injection vulnerability may be greatly reduced by using the principle of least privilege. The scanning will work even if your repository doesn’t contain any JavaScript and if you are interested only in workflows, but not other JavaScript files, you can exclude some paths in the CodeQL configuration. 1 If the main programming language of your project is something else, such as Python or Java, then you need to manually modify the CodeQL workflow to add JavaScript as an additional language. The CodeQL workflow scanning queries are (currently) only included in the query suite for JavaScript, so they’re only enabled by default if your project is written in JavaScript. The Security Lab, in collaboration with the code scanning team, has written CodeQL queries that can catch unsafe interpolation usage with untrusted input. Additionally, to prevent accidentally introducing similar vulnerabilities in new code, we recommend enabling code scanning for the repository. Therefore, we recommend carefully reviewing your workflows, focusing on the usage of untrusted input. Run: echo "$ syntax, but it doesn’t prevent all command injection vulnerabilities. This is a simple example of a workflow that is vulnerable to command injection: - name: print title In particular, GitHub Actions expression evaluation is a powerful language-independent feature which may lead to script injections when used in such blocks as run. In the context of workflows, this means values such as or. As with any program potentially started by an external user, user-controlled inputs should be treated as untrusted. Understanding command injection vulnerabilities in GitHub Actions workflowsĪ workflow is a program that starts automatically when a specific repository event occurs. ![]() Please read on for the most important points from those posts and use these tips to keep your workflows secure. The injection vulnerabilities the researchers found are all variations of the same patterns we’ve described in previous content, which we share at the end of this blog post. We confirmed their findings by verifying a random sample of the vulnerabilities found, and also advised them on how to report the vulnerabilities to the large number of affected projects. Their research, which they are presenting this week at the Usenix Security Conference 2023, is about how they found a number of code injection vulnerabilities in GitHub Actions workflows among open source projects hosted on GitHub. GitHub Actions is one of the most widely used platforms for automation, making it an important target.įor the past few months, the GitHub Security Lab has been collaborating with a team of researchers from Purdue University ( PurS3 Lab, PurSec Lab) and North Carolina State University ( WSPR Lab). Continuous Integration and Continuous Deployment (CI/CD) software supply chains are a lucrative target for threat actors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |