New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New audit: comment triggers #459

Open

woodruffw opened this issue Jan 18, 2025 · 0 comments

Assignees

Labels

new-audit

Owner

woodruffw commented Jan 18, 2025

A lot of workflows use the issue_comment trigger, followed by a match on the comment body like so:

if: github.event.issue.pull_request && contains(github.event.comment.body, '/execute')

When a user comments /execute, the workflow then performs whatever action matches the command.

This has two footguns:

Without an appropriate actor/actor association check, this allows anybody on GitHub to trigger the workflow. Typically this is just a waste of CI minutes, but sometimes it can also trigger something destructive.
More generally, issue_comment is a "privileged" trigger like pull_request_target and workflow_run, meaning that it has access to the default GITHUB_TOKEN. This makes it an appealing entrypoint for cache poisoning, etc.

This will probably be an auditor-only check, since it's hard to establish a security baseline for these.

The text was updated successfully, but these errors were encountered:

woodruffw added the new-audit label

woodruffw self-assigned this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment