For developers , stay GitHub Create a project on to run , It doesn't mean that the project has been completed , There's a lot of deployment testing that needs to be done manually .
GitHub Of Action Functions can simplify this step , Automated testing of project code , Now many people have used it for continuous integration / Continuous deployment （CI/CD）, But lately Actions A hidden vulnerability has been found in .
Google Project Zero The researchers found that ,GitHub Action One of the design flaws that allows hackers to write to the developer's Repository , You can even display encrypted confidential files .
GitHub Actions There are serious security vulnerabilities in
Google Project Zero researcher Felix Wilhelm Find out ,GitHub Actions The workflow command function acts as Action Runner And the communication channel between the actions performed . This means that the workflow command parses the STDOUT Come to work ,STDOUT One of those commands that you carry is “set-env”.
Set-env Any environment variable can be defined as part of the workflow , Extremely vulnerable to injection attacks . When the running program parses each STDOUT Line to find workflow commands , Every “ Printing untrusted content during execution Github Action Will be attacked ”.
Felix Wilhelm Some of the studies are popular Github The repository , He found that almost all had some complexity GitHub Actions All of your projects could be attacked , Even if Github Their own behavior is also vulnerable to this problem .
Google Project Zero Long ago GitHub Report this vulnerability
according to the understanding of ,Google Project Zero For GitHub Provided 90 This time has been extended on the basis of days of restoration 14 God , stay GitHub Again, after the extension of the grace period ,Google Project Zero Rejected the request , And the details of the vulnerability are disclosed .
Google Project Zero It's Google in 2014 Internet security project announced in , The whole team is made up of the top security engineers in Google , Find out 、 Tracking and fixing software security vulnerabilities that have not yet been disclosed .
Google Project Zero The security vulnerabilities dealt with usually belong to “ Zero Day vulnerability ”, Such vulnerabilities are usually not made public , Users can't fix it in the first place . In order to prevent hackers from using the zero day vulnerability to launch attacks , Google comes out Project Zero plan .
according to the understanding of ,Google Project Zero After the loopholes are found, the affected institutions will be contacted first , give 90 Days of restoration , The relevant information will not be disclosed until the vulnerability repair is completed . This year, 7 month ,Project Zero The team has GitHub A vulnerability warning has been issued .
GitHub Action There's more trouble hidden in it
Felix Wilhelm Say frankly , Hidden in GitHub Action There may be more trouble with workflow commands , He admitted that he had not considered the security implications of other workplace orders .
Felix Wilhelm Think ,“ The way to implement workflow commands is fundamentally insecure . The abolition of v1 Command syntax and use allowlist To strengthen set-env It may be detrimental to direct RCE [ Remote code execution ] vector . However , Even if it can be used in the following steps ‘ normal ’ environment variable , It may also be enough to take advantage of the most complex operations .”
Of course , There are also ways to solve this problem once and for all .Felix Wilhelm It is recommended to move workflow commands to an unrestricted channel （ For example, a new file descriptor ）, To avoid parsing STDOUT. But there's a small problem with this , It destroys many existing code operations .
GitHub The developers are starting from Runner Delete two of the most vulnerable commands in . future Runner An update will be released , This update will disable set-env and add-path Workflow commands .
meanwhile ,GitHub Suggest developers “ It should be upgraded to @actions/core v1.2.6 Or later , And use the new Environment File Syntax Replace... In the workflow set-env or add-path Any instance of the command .”
If you continue to use old commands or old toolkit versions of workflows and actions , that GitHub There's a warning , If you keep trying to use the old unsafe command , The workflow execution process will go wrong .
As security issues often happen , It's time to start patching and cleaning up the code . Security for developers is never done …...