codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

[actions] Add detection for workflow_dispatch TOCTOU

Open AdnaneKhan opened this issue 5 months ago • 0 comments
trafficstars

Description of the issue

There is a newer variation of GitHub Actions TOCTOU vulnerabilities known as "Workflow dispatch TOCTOU" - I wrote about a real-world example in a recent bug report writeup:

https://adnanthekhan.com/posts/dependabot-core-toctou-writeup/

I think this is a good candidate for a High detection where a PR has the following characteristics:

  • Runs on workflow dispatch / repository dispatch with the PR number as an input parameter. Does NOT require a commit SHA.
  • Checks out code from that PR without some approval check.
  • Runs code.

High because there is a lot of context required to understand if a maintainer would actually ever run the workflow on a fork, and that is not possible to determine via static analysis alone.

I believe this would require some code changes in the library code - adding a concept of a non externally triggered workflow that is intended to act upon untrusted code. This could then fire the UntrustedCheckoutTOCTOU alert

AdnaneKhan avatar Jun 20 '25 14:06 AdnaneKhan