GitHub actions is exposed to serious security vulnerabilities, and Google Project Zero discloses details

Time:2022-1-13

GitHub actions is exposed to serious security vulnerabilities, and Google Project Zero discloses details

For developers, creating a project on GitHub for operation does not mean that the project has been really completed. There are still a lot of deployment and testing work to be done manually.

GitHub’s action function can simplify this step and automatically test the project code. Now many people have used it for continuous integration / continuous deployment (CI / CD), but recently, a security vulnerability has been found hidden in actions.

Researchers at Google Project Zero found that a design flaw in GitHub action allows hackers to write to developers’ repositories and even display encrypted confidential files.

A critical security vulnerability exists in GitHub actions

Felix Wilhelm, a researcher at Google project zero, found that the GitHub actions workflow command function acts as a communication channel between the action runner and the actions executed. This means that workflow commands work by parsing stdout of all executed operations. One of those commands carried by stdout is “set env”.

Set env can define any environment variable as a part of workflow, which is very vulnerable to injection attack. When the running program parses each stdout line to find workflow commands, each “GitHub action that prints untrusted content during execution will be attacked”.

Felix Wilhelm studied some popular GitHub repositories. He found that almost all projects with some complex GitHub actions may be attacked, and even GitHub’s own behavior is vulnerable to this problem.

Google Project Zero has already notified GitHub of this vulnerability

GitHub actions is exposed to serious security vulnerabilities, and Google Project Zero discloses details

It is understood that Google Project Zero extended this time by 14 days on the basis of the 90 day repair period provided for GitHub. After GitHub again proposed to extend the grace period, Google Project Zero rejected the request and disclosed the details of the vulnerability.

Google Project Zero is an Internet security project announced by Google in 2014. The whole team is composed of top security engineers within Google to discover, track and repair software security vulnerabilities that have not been disclosed.

The security vulnerabilities handled by Google project zero are usually “zero day vulnerabilities”. Such security vulnerabilities are usually not disclosed, and users cannot fix them at the first time. In order to prevent hackers from using zero day vulnerabilities to launch attacks, Google launched the project zero plan.

It is understood that after discovering the vulnerability, Google Project Zero will first contact the affected institutions and give a 90 day repair period. Relevant information will not be disclosed until the vulnerability is repaired. In July this year, the project zero team issued a vulnerability warning to GitHub.

More trouble is hidden in GitHub action

Felix Wilhelm admitted that hiding in the GitHub action workflow command may encounter more problems. He admitted that he did not consider the security impact of other workspace commands.

Felix Wilhelm believes that “the way to implement workflow commands is fundamentally unsafe. Abolishing V1 command syntax and using allowlist to strengthen set env may not be conducive to the direct rce [remote code execution] vector. However, even if it can override the ‘normal’ environment variables used in subsequent steps, it may be enough to take advantage of the most complex operations.”

Of course, there are ways to solve this problem once and for all. Felix Wilhelm recommends moving workflow commands to an unconstrained channel (such as a new file descriptor) to avoid parsing stdout. But there is also a small problem in doing so, which will destroy many existing code operations.

GitHub developers are removing the two most vulnerable commands from runner. In the future, the runner will release an update that will disable the set Env and add path workflow commands.

At the same time, GitHub suggested that developers “should upgrade to @ actions / core v1.2.6 or later and replace any instance of set env or add path commands in the workflow with a new environment file syntax.”

If you continue to use the workflow and operations of the old command or the old toolkit version, GitHub will issue a warning. If you continue to try to use the old unsafe command, the workflow execution process will make an error.

As security problems often occur, it’s time to start patching and cleaning up the code. The security work of developers will never be completed

GitHub actions is exposed to serious security vulnerabilities, and Google Project Zero discloses details