Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Misleading best practice in actions security hardening #29817

Closed
1 task done
elad-pticha opened this issue Nov 7, 2023 · 13 comments
Closed
1 task done

Misleading best practice in actions security hardening #29817

elad-pticha opened this issue Nov 7, 2023 · 13 comments
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review

Comments

@elad-pticha
Copy link

Code of Conduct

What article on docs.github.com is affected?

Article: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
that relates to https://docs.github.com/en/actions/creating-actions/creating-a-composite-action

What part(s) of the article would you like to see updated?

This issue is explicitly related to the Understanding the risk of script injections.

This section explains how command injection vulnerabilities could be exploited in GitHub actions and about untrusted inputs that users should avoid in inline scripts.

This section is followed by Good practices for mitigating script injection attacks.

The first good practice suggests creating a github composite action and passing untrusted arguments to the composite action.

uses: fakeaction/checktitle@v3
with:
    title: ${{ github.event.pull_request.title }}

It is described as follows: "This approach is not vulnerable to the injection attack, as the context value is not used to generate a shell script, but is passed to the action as an argument."

This statement is incorrect and may lead to different command injection attacks.
When creating a composite action, we specify some inputs and may specify outputs.

If those inputs are passed to an inline script, they will be vulnerable to command injection.
Let's start with the following scenario.

  1. We have a github workflow called a.yml that is being trigged on every issue_comment.
  2. We want to verify that each user submits a comment with an approved prefix
  3. We want to check what is the best way to do that, and we follow the GitHub Actions security hardening guidelines.
  4. We create a composite action (action.yml) and pass the command body to it.

Now, Inside the composite action, we access the issue body as follows:

- name: Test Comment
   shell: bash
   run: ./check-issue.sh ${{ inputs.body }}

If we pass the issue body as follows:

uses: ./github/actions/check-title
with:
    body: ${{ github.event.comment.body }}

This composite action will be vulnerable to command injection.

In addition, the Creating an action metadata file suggests and encourages users to input variables directly to inline scripts that may compromise their build pipeline.

I think this problem should be fixed in a couple of layers.

  1. Changing the Good practices for mitigating script injection attacks to use composite action with environment variables to make sure composite actions will not be vulnerable to injection using the input variables from untrusted sources
  2. Changing the Creating an action metadata file that encourages users to directly pass inputs variables directly to an inline script.

Additional information

Examples:

Let's see with a little example how such a pipeline could be compromised and how users can protect themself against such attacks.

First, we have the workflow file we described:

image

And we also created the following composite action:

image

Issue that look like this: $(ls) will trigger that pipeline + composite action to result:

image
  • The same attack will be possible when using without the double quotes in the run script; I choose to demonstrate with the echo double quotes because the exploitation is easier to understand.

As we can see, using the composite action + inputs has resulted in a command injection, so the first misleading part is, "This approach is not vulnerable to the injection attack."

Secondly, as we said, the Creating an action metadata file suggests users to pass directly inputs to inline scripts.

Solution

A solution can be implemented differently, but one is declaring an environment variable outside the composite action and passing the env var.

Example

Now, our workflow will look like this:

image

And the composite action output will look like this:

image

This should help users pass untrusted inputs to action and be sure the action is not compromising their pipeline.

@elad-pticha elad-pticha added the content This issue or pull request belongs to the Docs Content team label Nov 7, 2023
Copy link

welcome bot commented Nov 7, 2023

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Nov 7, 2023
@cmwilson21
Copy link
Contributor

@elad-pticha Thanks so much for opening an issue! We really appreciate the extra time to add all this helpful context and the screen shots ✨

I'll triage this for the team to take a look 👀

@cmwilson21 cmwilson21 added actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Nov 7, 2023
@jc-clark
Copy link
Contributor

jc-clark commented Nov 15, 2023

Thanks for raising this issue @elad-pticha! These are great considerations.

Since we don't accept public contributions to this file, I'm going to copy this over to our internal repo and move this improvement along over there. This way, I can help loop in some of our experts on this.

Closing this issue, but the topic is still open for our team to address. Cheers!

@elad-pticha
Copy link
Author

elad-pticha commented Nov 19, 2023

Thank you @jc-clark! Will this issue be updated once resolved internally?

@KORN14K

This comment was marked as spam.

@janiceilene
Copy link
Contributor

@elad-pticha I'll leave feedback with the team to update here, but it may just be closed internally 💛

@elad-pticha
Copy link
Author

@janiceilene Hey, I'm just pinging to check if there is any update on this.

@nguyenalex836
Copy link
Contributor

@elad-pticha I'll leave a note for our team to update here, but we can't guarantee an update will be provided. However, the team is working on it! 👍

@elad-pticha
Copy link
Author

Hey,
Pinging again about this. Is there anything new?

@jc-clark
Copy link
Contributor

Hey @elad-pticha! Thanks for checking back in on this. I'm currently working with our engineering team to figure out the best way to fix up these docs. I'm not exactly sure when the changes will be live on the docs site, but I'll be sure to let you know when the articles are fixed.

@elad-pticha
Copy link
Author

Sounds great @jc-clark!
If needed, I would be happy to share more thoughts.

@jc-clark
Copy link
Contributor

jc-clark commented Feb 7, 2024

Hey @elad-pticha! Just circling back to let you know that we updated the Creating an action metadata file example.

In Good practices for mitigating script injection attacks, we specified that you should use a JavaScript action in the example, since using a JavaScript based action is safe.

Again, thank you for surfacing these for us! 🔬

@elad-pticha
Copy link
Author

@jc-clark This is great! Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Development

No branches or pull requests

7 participants
@janiceilene @jc-clark @cmwilson21 @elad-pticha @KORN14K @nguyenalex836 and others