It should come as no surprise that running untrusted code in a GitHub Actions workflow can have unintended consequences. It’s a fun feature that automatically runs through a code test suite when a pull request is opened. But that pull request runs in part of the target’s development environment, and some clever attacks have been found over the years that exploit it. There is now another one, what Legit Security calls Github Environment Injection, and there were some large organizations that were vulnerable to it.
The crux of the problem is $GITHUB_ENV
file, which contains environment variables to be set in the Actions environment. Individual variables are added to this file as part of the automated action, and that process must include some data sanitization. Otherwise, an attacker could send an environment variable that includes a newline and completely unintended environment variable. And an accidental, arbitrary environment variable is game over for the safety of the workflow. The example user NODE_OPTIONS
variable to dump the entire environment to an available output. Any API keys or other secrets are revealed.
This particular attack was reported to GitHub, but there is no practical way to fix it architecturally. So it’s up to individual projects to be very careful about writing unreliable data into $GITHUB_ENV
file.
Continue reading “This Week in Security: GitHub Actions, SHA-1 Retirement, and a Self-Worming Vulnerability”