23 | December | 2022

23 |  December |  2022

It should come as no surprise that running untrusted code in a GitHub Actions workflow can have unintended consequences. It’s a fun feature that automatically runs through a code test suite when a pull request is opened. But that pull request runs in part of the target’s development environment, and some clever attacks have been found over the years that exploit it. There is now another one, what Legit Security calls Github Environment Injection, and there were some large organizations that were vulnerable to it.

The crux of the problem is $GITHUB_ENV file, which contains environment variables to be set in the Actions environment. Individual variables are added to this file as part of the automated action, and that process must include some data sanitization. Otherwise, an attacker could send an environment variable that includes a newline and completely unintended environment variable. And an accidental, arbitrary environment variable is game over for the safety of the workflow. The example user NODE_OPTIONS variable to dump the entire environment to an available output. Any API keys or other secrets are revealed.

This particular attack was reported to GitHub, but there is no practical way to fix it architecturally. So it’s up to individual projects to be very careful about writing unreliable data into $GITHUB_ENV file.

Continue reading “This Week in Security: GitHub Actions, SHA-1 Retirement, and a Self-Worming Vulnerability”

Wouldn’t it be great if you could keep all your little Internet-connected hacks up to date with a single code base? A couple of weeks ago we wrote up a project that automatically pulls down OTA updates to an ESP32 from GitHub, using the ESP32 C SDK. [Pascal] asked in the comments, “but what about MicroPython?” Glove thrown, [TURFPTAx] wrote ugit.py – a simple library that mirrors all the code from a public GitHub Python repo straight to your gadget running Micropython.

See also  Hackers take more than $600 million in cryptocurrency from Ronin blockchain, which powers Axie infinity

[Damped] wrote about Senko, another library that does something very similar, but by then [TURFPTAx] was already done. Bam! Part of the speed is that MicroPython includes everything you need to get the job done – parsing the stream JSON was the hard part with the original hack. MicroPython makes that sort of thing easy.

This is one of those ideas that is only brilliant for a hacker with a small herd of independent devices to herd. And because ugit.py itself is pretty simple and readable, if you need to adapt it to make your own bid, that’s no problem either. Just be sure that when you save your WiFi credentials, they are not publicly displayed. ([TURFPTAx]can I log on to WiFi at your home?)

What is [TURFPTAx] to use this for? We’re guessing it’s going to distribute code for his awesome Open Muscle sensor rigs. What are we going to use it for? Blinky Christmas ornaments for the in-laws, now remotely updated without them even having to learn what a “repo” is.

Continue reading “GitHub ESP32 OTA updates, now in MicroPython flavor”

The soul of a rock band is its rhythm section, usually consisting of a drummer and bassist. If you don’t believe that, try listening to a band where these two can’t keep time. Bands can often get away with sloppy guitars and vocals (that’s how punk became a genre), but without that foundation you’ll be hard-pressed to score any gigs at all. Drums are unfortunately bulky and expensive, and good drummers hard to find, so if you’re an aspiring bass player who wants to practice laying down a solid track on your own, check out this drum machine designed by [Duncan McIntyre].

See also  How Tornado Cash Helped Hackers Launder Money in 2022

The drum machine is designed to be as user-friendly as possible for someone actively playing another instrument, which means all tactile inputs and no touchscreens. Several rows of buttons across the top select the drum sounds for the sequencer, and each column corresponds to the different beats, allowing custom patterns to be selected and changed quickly. There are several other controls for volume and tempo, and since it’s based on MIDI using the VS1053 chip and uses an STM32 microcontroller, it’s easy to configure and can be quickly connected to other machines as well.

For anyone looking to build their own, all the schematics and code are available on GitHub. However, if you have an aversion to digital gear, check out this drum machine that produces its rhythms using circuits that are completely analog.

Continue reading “Beat Backing Box for Bass Players”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *