Action pull-request.yml possibly vulnerable to RCE #3699
Assignees
Labels
bug
Bug
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The pull-request.yml is vulnerable to RCE via a malicious PR
https://github.com/webex/webex-js-sdk/blob/next/.github/workflows/pull-request.yml
See more information in the github blog
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
To Reproduce
Steps to reproduce the behavior:
While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow:
- name: Checkout Project
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
Checks out the PR, which may contain malicious data.
Then it runs yarn, which uses local data, and may lead to RCE:
- name: Install Dependencies
run: yarn
Expected behavior
May consider not using the pull_request action or a different flow to invoke yarn.
Screenshots
If applicable, add screenshots to help explain your problem.
Platform (please complete the following information):
Additional context
No additional context but refer to the github best practices
The text was updated successfully, but these errors were encountered: