Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: security test #55

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat: security test #55

wants to merge 8 commits into from
+12 −0

Conversation

4bg0P
Copy link

@4bg0P 4bg0P commented Jan 9, 2025

This is a security test

@4bg0P 4bg0P requested a review from a team as a code owner January 9, 2025 17:05
@github-actions github-actions bot added the action-request Request to perform actions on bluesky accounts label Jan 9, 2025
@joyeecheung
Copy link
Member

hmm, this should not be run for first-time contributors. Did someone approve the workflows? @nodejs/bluesky @nodejs/tsc

@4bg0P
Copy link
Author

4bg0P commented Jan 9, 2025

Hey @joyeecheung,

I hope you are doing good. I'm just trying to do some tests there (I'm part of NodeJS H1 program), if it's bothering you I can stop right now.

@joyeecheung
Copy link
Member

Hi @4bg0P I understand that you are testing the security of this repo, thanks. Do I understand correctly that you have write permission to this repository and approved the validation workflow? I am just trying to figure out if there is a loophole in which people without write permission to the repository can send in a PR and trigger the validation workflow with it, without anyone else pushing the approve button.

@4bg0P
Copy link
Author

4bg0P commented Jan 9, 2025

Hi @joyeecheung,

Indeed I don't have any write access to this repository. I was trying to test the validate.yml workflow, as it has a pull_request_target trigger. This trigger is risky as it permits anyone without validation to run the workflow, when a PR is opened (see https://docs.github.com/fr/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target).

In this specific workflow, this trigger is combined with a checkout of the forked repository. It means the all the steps of the workflow will be done based on the fork i.e from files controlled by a potential attacker. This is what I did here, and to be 100% transparent, I tried to make a command injection using the names of the JSON files (as those names are used to fill an environment variable, later used and printed).

I hope this will be clearer! If you want to add safety on this workflow, I think the best would be to set the "pull_request" trigger instead of the "pull_request_target"; it would at least require the attacker to have been approved one time, and to have contribute to the repository.

@joyeecheung
Copy link
Member

cc @aduh95

@joyeecheung
Copy link
Member

Thanks for the heads up! The workflow was changed in #31 to use pull_request_target, I think we should change back to use pull_request. In the meantime, I've disabled the validation workflow and revoked the app password being in use.

@4bg0P
Copy link
Author

4bg0P commented Jan 9, 2025

Indeed once the command injection in place, I wanted to send it to my server (in a secure way) and then test it, to report it on https://hackerone.com/nodejs
Too bad for me, you've been too fast spotting my attempts :)

Have a great day,
Théo

@joyeecheung joyeecheung mentioned this pull request Jan 9, 2025
Open
joyeecheung added a commit that referenced this pull request Jan 9, 2025
@joyeecheung
Use pull_request in validation workflow
a63f85a 
See #55 - using pull_request_target would allow the workflow to run without authorization. While there are some code in this workflow to defend against naive attacks e.g. adding scripts to the actions, there could be other attack vectors e.g. via specially crafted branch names or file names that evade GitHub's escape rules. It would be too hard to wrap our head around this, so the easiest way to defend against it would be to restrict full validation that require access to secrets to PRs opened from branches in this repo.

For PRs opened from forks, I think we should go back to what I proposed in #10 - that is, only run local validations that require no access to secrets, and use `pull_request` for it.

cc @aduh95 @nodejs/tsc
@joyeecheung joyeecheung mentioned this pull request Jan 9, 2025
Merged
joyeecheung added a commit that referenced this pull request Jan 9, 2025
@joyeecheung
Use pull_request in validation workflow (#56)
f8e9222 
See #55 - using pull_request_target would allow the workflow to run without authorization. While there are some code in this workflow to defend against naive attacks e.g. adding scripts to the actions, there could be other attack vectors e.g. via specially crafted branch names or file names that evade GitHub's escape rules. It would be too hard to wrap our head around this, so the easiest way to defend against it would be to restrict full validation that require access to secrets to PRs opened from branches in this repo.

For PRs opened from forks, I think we should go back to what I proposed in #10 - that is, only run local validations that require no access to secrets, and use `pull_request` for it.

cc @aduh95 @nodejs/tsc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
action-request Request to perform actions on bluesky accounts
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@4bg0P @joyeecheung