This is a misconfigured repository to show how to modify a GitHub Package using write permission or GitHub Actions.
Reposiroty configuration:
main
has branch protection enabled with a review fromCODEOWNERS
- anyone in PagoPA GitHub Organization has
write
permission on this repository packages
inherit access from source repository- repository package is a docker image
- GitHub Actions has access to
packages
You can check packages
settings here https://github.com/orgs/pagopa/packages/container/example-bad-repo-packages/settings
Attack scenario #1:
- a user with
write
permission can modify an existing docker image taggedv2
inpackages
using his personal PAT token
docker login ghcr.io
> insert GITHUB_USERNAME
> insert GITHUB_PAT_TOKEN
docker build -f Dockerfile.evil -t ghcr.io/pagopa/example-bad-repo-packages:v2 .
docker image push ghcr.io/pagopa/example-bad-repo-packages:v2
Attack scenario #2:
- a user with
write
permission can modify an existing docker image taggedv2
inpackages
creating a Pull Request (example Pull Request #1)
Safe scenario:
- using docker image sha will prevent a possibile supply chain attack. Some artifact format doesn't support sha, for example maven, so you need to protect the write access to
packages
to prevent tampering.
See this example https://github.com/pagopa/example-good-repo-packages