New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misleading best practice in actions security hardening #29817
Comments
|
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
|
@elad-pticha Thanks so much for opening an issue! We really appreciate the extra time to add all this helpful context and the screen shots ✨ I'll triage this for the team to take a look 👀 |
|
Thanks for raising this issue @elad-pticha! These are great considerations. Since we don't accept public contributions to this file, I'm going to copy this over to our internal repo and move this improvement along over there. This way, I can help loop in some of our experts on this. Closing this issue, but the topic is still open for our team to address. Cheers! |
|
Thank you @jc-clark! Will this issue be updated once resolved internally? |
This comment was marked as spam.
This comment was marked as spam.
|
@elad-pticha I'll leave feedback with the team to update here, but it may just be closed internally 💛 |
|
@janiceilene Hey, I'm just pinging to check if there is any update on this. |
|
@elad-pticha I'll leave a note for our team to update here, but we can't guarantee an update will be provided. However, the team is working on it! 👍 |
|
Hey, |
|
Hey @elad-pticha! Thanks for checking back in on this. I'm currently working with our engineering team to figure out the best way to fix up these docs. I'm not exactly sure when the changes will be live on the docs site, but I'll be sure to let you know when the articles are fixed. |
|
Sounds great @jc-clark! |
|
Hey @elad-pticha! Just circling back to let you know that we updated the Creating an action metadata file example. In Good practices for mitigating script injection attacks, we specified that you should use a JavaScript action in the example, since using a JavaScript based action is safe. Again, thank you for surfacing these for us! 🔬 |
|
@jc-clark This is great! Thank you! |
Code of Conduct
What article on docs.github.com is affected?
Article: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
that relates to https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
What part(s) of the article would you like to see updated?
This issue is explicitly related to the Understanding the risk of script injections.
This section explains how command injection vulnerabilities could be exploited in GitHub actions and about untrusted inputs that users should avoid in inline scripts.
This section is followed by Good practices for mitigating script injection attacks.
The first good practice suggests creating a github composite action and passing untrusted arguments to the composite action.
It is described as follows: "This approach is not vulnerable to the injection attack, as the context value is not used to generate a shell script, but is passed to the action as an argument."
This statement is incorrect and may lead to different command injection attacks.
When creating a composite action, we specify some
inputsand may specifyoutputs.If those inputs are passed to an inline script, they will be vulnerable to command injection.
Let's start with the following scenario.
a.ymlthat is being trigged on everyissue_comment.action.yml) and pass the command body to it.Now, Inside the composite action, we access the issue body as follows:
If we pass the issue body as follows:
This composite action will be vulnerable to command injection.
In addition, the Creating an action metadata file suggests and encourages users to input variables directly to inline scripts that may compromise their build pipeline.
I think this problem should be fixed in a couple of layers.
inputvariables from untrusted sourcesinputsvariables directly to an inline script.Additional information
Examples:
Let's see with a little example how such a pipeline could be compromised and how users can protect themself against such attacks.
First, we have the workflow file we described:
And we also created the following composite action:
Issue that look like this:
$(ls)will trigger that pipeline + composite action to result:echodouble quotes because the exploitation is easier to understand.As we can see, using the composite action + inputs has resulted in a command injection, so the first misleading part is, "This approach is not vulnerable to the injection attack."
Secondly, as we said, the Creating an action metadata file suggests users to pass directly inputs to inline scripts.
Solution
A solution can be implemented differently, but one is declaring an environment variable outside the composite action and passing the env var.
Example
Now, our workflow will look like this:
And the composite action output will look like this:
This should help users pass untrusted inputs to action and be sure the action is not compromising their pipeline.
The text was updated successfully, but these errors were encountered: