Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Homebrew is a package manager for MacOS that is ran from the terminal. I personally use Homebrew all of the time. So, hearing about vulnerabilities is quite interesting.

The vulnerability exists in a Homebrew Github actions automation. A Github Action is something that is performed when something happens to the repository, such as a pull request. One of the actions is that if a pull request is simple enough, then it auto merges the PR.

The author could not find a vulnerability in the logic directly. So, instead, they went to the git_diff repository to see how the merge functionality worked.

The diff functionality is quite complex and has many interesting primitives for remote attackers. In particular, the git_diff added file information for where to write the file to directly into the file! With this in mind, it was possible to make a 0 line change PR that could overwrite a Ruby file in Homebrew itself.

The root cause was not in a vulnerability in the parsing library for git_diff. Instead, it was using the code in an unattended way; the authors of git_diff never expected an attacker to be able to control the file information when writing the tool. Overall, interesting finding where the issue is with the integration of technology.