-
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathpull-request-target-code-checkout.yaml
More file actions
77 lines (77 loc) · 2.77 KB
/
Copy pathpull-request-target-code-checkout.yaml
File metadata and controls
77 lines (77 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
rules:
- id: pull-request-target-code-checkout
languages:
- yaml
message: >-
This GitHub Actions workflow file uses `pull_request_target` and checks out code
from the incoming pull request. When using `pull_request_target`, the Action
runs in the context of the target repository, which includes access to all repository
secrets. Normally, this is safe because the Action only runs code from the target
repository, not the incoming PR. However, by checking out the incoming PR code, you're now using
the incoming code for the rest of the action. You may be inadvertently executing arbitrary code
from the incoming PR with access to repository secrets, which would let an attacker steal repository
secrets.
This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation
scripts (e.g., `python setup.py install`).
Audit your workflow file to make sure no code from the incoming PR is executed.
Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional
mitigations.
metadata:
tags: [security]
shortDescription: Unsafe code checkout in pull_request_target workflow
confidence: LOW
help: |
## Remediation
When using `pull_request_target`, avoid checking out code from the incoming PR. If you must check out PR code,
ensure no untrusted code is executed (including build scripts and dependency installation).
See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.
category: security
owasp:
- A01:2021 - Broken Access Control
cwe:
- 'CWE-913: Improper Control of Dynamically-Managed Code Resources'
references:
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md
technology:
- github-actions
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
patterns:
- pattern-either:
- pattern-inside: |
on:
...
pull_request_target: ...
...
...
- pattern-inside: |
on: [..., pull_request_target, ...]
...
- pattern-inside: |
on: pull_request_target
...
- pattern-inside: |
jobs:
...
$JOBNAME:
...
steps:
...
- pattern: |
...
uses: "$ACTION"
with:
...
ref: $EXPR
- metavariable-regex:
metavariable: $ACTION
regex: actions/checkout@.*
- metavariable-pattern:
language: generic
metavariable: $EXPR
patterns:
- pattern: ${{ github.event.pull_request ... }}
severity: WARNING