chore: prevent action bash escapes #294
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rbtr
added
type/fix
vakalapa
reviewed
Apr 18, 2024
Signed-off-by: Evan Baker <[email protected]>
rbtr
force-pushed
the
fix/prevent-escapes
branch
from
0227137
to
d4c9e7f
Compare
timraymond
approved these changes
Apr 18, 2024
|
Hey all, y'all hopped on this one quite quickly and nailed the impact assessment. Historically Ive reported similar findings on other Microsoft repos to the MSRC and was going about to fill a new report for this repo after looking more into any impact escalations (though no other vectors are jumping out to me). Overall solid stuff! Happy to provide any info on my end too |
|
Thanks @robertprast, if you find anything else do let us know 🙂 |
I am running poutine on public repos, and will let you know if there will be anything else. |
nddq
pushed a commit
that referenced
this pull request
May 6, 2024
# Description @robertprast in #285 and @random-dudde over at https://github.com/random-dudde/retina/pull/1 are poking at the [commit-message](https://github.com/microsoft/retina/blob/30a128b985bc99fc8686ef21afa1cc7358dc7dfd/.github/workflows/commit-message.yaml) Action trying to pull off a bash escape exploit. The bash escape actually exists, due to the direct usage of the PR title: ```bash commit_msg_header="${{ github.event.pull_request.title }}" ``` **However, this is not readily exploitable** because we require approval to run workflows on _all_ external contributions. A maintainer would need to approve the workflow, which makes it unlikely that any useful bash could be sneakily stuffed in to the title and executed. Even getting workflow approval with a benign title and then updating it later is correctly handled by GH and requires a new maintainer approval:  preventing a TOCTOU malicious title swap. With that all said...unlikely does not mean impossible, and even though it is not a zero-click attack, xz showed us that social engineering can be extremely effective. This change removes the bash escape by staging the user-input in an [intermediate environment variable](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable) at the Job level. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Evan Baker <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
@robertprast in #285 and @random-dudde over at https://github.com/random-dudde/retina/pull/1 are poking at the commit-message Action trying to pull off a bash escape exploit.
The bash escape actually exists, due to the direct usage of the PR title:
commit_msg_header="${{ github.event.pull_request.title }}"However, this is not readily exploitable because we require approval to run workflows on all external contributions. A maintainer would need to approve the workflow, which makes it unlikely that any useful bash could be sneakily stuffed in to the title and executed.
Even getting workflow approval with a benign title and then updating it later is correctly handled by GH and requires a new maintainer approval:
preventing a TOCTOU malicious title swap.
With that all said...unlikely does not mean impossible, and even though it is not a zero-click attack, xz showed us that social engineering can be extremely effective.
This change removes the bash escape by staging the user-input in an intermediate environment variable at the Job level.
Related Issue
If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.
Checklist
git commit -S -s ...). See this documentation on signing commits.Screenshots (if applicable) or Testing Completed
Please add any relevant screenshots or GIFs to showcase the changes made.
Additional Notes
Add any additional notes or context about the pull request here.
Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.