Github-actions
Security
workflow-run-target-code-checkout
workflow-run-target-code-checkout
This GitHub Actions workflow file uses
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 9
- 1
- 3
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- C
- o
- n
- t
- r
- o
- l
-
- o
- f
-
- D
- y
- n
- a
- m
- i
- c
- a
- l
- l
- y
- -
- M
- a
- n
- a
- g
- e
- d
-
- C
- o
- d
- e
-
- R
- e
- s
- o
- u
- r
- c
- e
- s
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
workflow_run and checks out code from the incoming pull request. When using workflow_run, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you’re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., npm build and make) or dependency installation scripts (e.g., python setup.py install). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 9
- 1
- 3
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- C
- o
- n
- t
- r
- o
- l
-
- o
- f
-
- D
- y
- n
- a
- m
- i
- c
- a
- l
- l
- y
- -
- M
- a
- n
- a
- g
- e
- d
-
- C
- o
- d
- e
-
- R
- e
- s
- o
- u
- r
- c
- e
- s
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
pull-request-target-code-checkout
pull-request-target-code-checkout
This GitHub Actions workflow file uses
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-913: Improper Control of Dynamically-Managed Code Resources
OWASP:
- A01:2021 - Broken Access Control
pull_request_target and checks out code from the incoming pull request. When using pull_request_target, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you’re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., npm build and make) or dependency installation scripts (e.g., python setup.py install). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-913: Improper Control of Dynamically-Managed Code Resources
OWASP:
- A01:2021 - Broken Access Control
github-script-injection
github-script-injection
Using variable interpolation
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
${{...}} with github context data in a actions/github-script’s script: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: “$ENVVAR”.Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
third-party-action-not-pinned-to-commit-sha
third-party-action-not-pinned-to-commit-sha
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action’s repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-1357: Reliance on Insufficiently Trustworthy Component
- CWE-353: Missing Support for Integrity Check
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 2
- 1
-
- -
-
- V
- u
- l
- n
- e
- r
- a
- b
- l
- e
-
- a
- n
- d
-
- O
- u
- t
- d
- a
- t
- e
- d
-
- C
- o
- m
- p
- o
- n
- e
- n
- t
- s
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-1357: Reliance on Insufficiently Trustworthy Component
- CWE-353: Missing Support for Integrity Check
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 2
- 1
-
- -
-
- V
- u
- l
- n
- e
- r
- a
- b
- l
- e
-
- a
- n
- d
-
- O
- u
- t
- d
- a
- t
- e
- d
-
- C
- o
- m
- p
- o
- n
- e
- n
- t
- s
allowed-unsecure-commands
allowed-unsecure-commands
The environment variable
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-749: Exposed Dangerous Method or Function
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
ACTIONS_ALLOW_UNSECURE_COMMANDS grants this workflow permissions to use the set-env and add-path commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don’t use ACTIONS_ALLOW_UNSECURE_COMMANDS. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-749: Exposed Dangerous Method or Function
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
curl-eval
curl-eval
Data is being eval’d from a
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval’ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
run-shell-injection
run-shell-injection
Using variable interpolation
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: “$ENVVAR”.Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection