About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bypassing required reviews using GitHub Actions- 651

Omer Gil - Cider SecurityPosted 4 Years Ago
  • Github is the most popular source control management system. Github has many great features and restrictions. One popular feature within Github is Github Actions, which is a CI/CD pipeline within Github. An interesting (and obvious) restriction that can be added is the ability to force reviews prior to a merge taking place.
  • So, what's the problem here? Github Actions is simply too powerful! When making a PR, push a workflow that approves the PR automatically upon a pull request event. Since the Workflow has write permissions to repo, the review process is completely bypassed.
  • This attack assumes that a developers account is compromised. The review process is put in place in order to prevent crappy/malicious code from making it into production. This is a perfect example of complexity simply circumventing a security protection.
  • What is the fix for this? The author does not mention how Github fixed this. I would imagine that the token for the Workflow was verified to see if the review had taken place prior to the merge operation happening. It should also be noted that Github Actions is enabled on all organizations by default, which makes this significantly worse.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed