Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Dangerous-Workflow: Check for workflow_run trigger #3892

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

Check for privileged usage of on: workflow_run trigger in GitHub Workflows.

  • Privileged: A workflow that uses this trigger contains an action that uses secrets.GITHUB_TOKEN

Which issue(s) this PR fixes

Fixes #3861.

Special notes for your reviewer

The largest function, checkUsesGithubToken checks if secrets.GITHUB_TOKEN is passed to another workflow. There are a lot of nil checks. Another approach is to look through the GitHub Workflow AST, but I wasn't sure if this was possible with actionlint.

@raghavkaul raghavkaul requested a review from a team as a code owner February 20, 2024 21:50
@raghavkaul raghavkaul requested review from naveensrinivasan and laurentsimon and removed request for a team February 20, 2024 21:50
Signed-off-by: Raghav Kaul <[email protected]>
Copy link

codecov bot commented Feb 21, 2024

Codecov Report

Attention: Patch coverage is 79.87421% with 32 lines in your changes are missing coverage. Please review.

Project coverage is 70.76%. Comparing base (54690b4) to head (257f45d).
Report is 88 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3892      +/-   ##
==========================================
- Coverage   75.50%   70.76%   -4.75%     
==========================================
  Files         231      232       +1     
  Lines       15669    15825     +156     
==========================================
- Hits        11831    11198     -633     
- Misses       3109     3940     +831     
+ Partials      729      687      -42     

@raghavkaul
Copy link
Contributor Author

/scdiff generate Dangerous-Workflow

Copy link

@laurentsimon
Copy link
Contributor

laurentsimon commented Feb 22, 2024

Couple of comments:

  1. Do we care that a GITHUB_TOKEN is referenced? Actions called in a workflow can reference the token themselves. So I would say it does not matter if the token if referenced in the workflow or not. What matters more is whether the token has a dangerous permissions - right now we're not validating this in the Dangerous-Workflow for simplicity, but we could
  2. iiuc, the solution to pull_request_target in https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ would be detected as a vuln with the changes in this PR, but should not

I think what we're missing is capturing the context #3861., which is that one of the workflow referenced in workflows: [Run Tests, Another] must be running with a lower privilege, eg not on a PR. There is also an assumption that the workflow_run workflow uses non-sanitized inputs from the less-privileged first workflow: This may be one of the github.* variables (already covered by the check), a checkout + run (already covered by the check), an artifact download (not covered by the check yet). So maybe we should start by detecting artifact download + first workflow not running on PR - and possible check if the workflow_run is privileged, ie dangerous permission is used (package, etc) or used of any secrets?

something unclear to me: does workflow_run accept a branch option? I don't see it documented in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run

@pnacht
Copy link
Contributor

pnacht commented Feb 22, 2024

something unclear to me: does workflow_run accept a branch option? I don't see it documented in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#limiting-your-workflow-to-run-based-on-branches

@raghavkaul
Copy link
Contributor Author

raghavkaul commented Feb 23, 2024

Ah, I assumed GITHUB_TOKEN had to be passed explicitly to be available. Yes, it's possible for there to be false positives. Is there another indicator of "sensitive workflow" here? And also, if the triggered workflow is restricted to branch: [<default>] as in Pedro's link, then it's not vulnerable to this attack.

one of the github.* variables (already covered by the check)

We only check for secrets.GITHUB_TOKEN being passed, why would passing github.* be unsafe?

a checkout + run (already covered by the check)

We cover this, but don't explicitly differentiate from composite actions that exist in the same repo. I can modify the code to cover this case though.

an artifact download

Isn't artifact upload (publishing) what we care about?

@spencerschrock
Copy link
Member

We only check for secrets.GITHUB_TOKEN being passed, why would passing github.* be unsafe?

github.token is another way of accessing secrets.GITHUB_TOKEN

@spencerschrock
Copy link
Member

Isn't artifact upload (publishing) what we care about?

We care about downloading an artifact produced by the other workflow.

And also, if the triggered workflow is restricted to branch: [] as in Pedro's link, then it's not vulnerable to this attack.

See #3861 (comment)

@laurentsimon
Copy link
Contributor

laurentsimon commented Feb 26, 2024

We cover this, but don't explicitly differentiate from composite actions that exist in the same repo. I can modify the code to cover this case though.

My suggestion is to keep this PR simple and do this in another PR. There has not been many complains (AFAIK) about false positives introduced by the lack of permission checking. Maybe it's uncommon in practice so we need not prioritize this?

Isn't artifact upload (publishing) what we care about?

We care about downloading an artifact produced by the other workflow.

+1

And also, if the triggered workflow is restricted to branch: [] as in Pedro's link, then it's not vulnerable to this attack.

See #3861 (comment)

I thought it does work As for my previous comment, I did some digging and this does indeed seem to work, even though release.yml sets branches: [main]. This is very weird to me and honestly feels like a bug...

Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@raghavkaul
Copy link
Contributor Author

Not stale, waiting for update on #3861.

Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added Stale and removed Stale labels Mar 26, 2024
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Apr 13, 2024
@laurentsimon
Copy link
Contributor

@raghavkaul still interested in getting this PR cross the finish line?

@github-actions github-actions bot removed the Stale label Apr 14, 2024
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Apr 25, 2024
@github-actions github-actions bot closed this May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

Feature: Check for usage of on: workflow_run trigger
4 participants