pwnhub icon indicating copy to clipboard operation
pwnhub copied to clipboard

Published 20 hours ago verified publisher icon nikitastupin

Intriguing

Open fproulx-boostsecurity opened this issue 11 months ago • 10 comments

I find this scripts/test/github-event-object-is-snapshot.sh intriguing

https://github.com/nikitastupin/pwnhub/commit/e098ccfbe889e2c5f0ae9169be58c55430d7a65b#diff-da7ba472d28c68dd7a9924155379ecfdedb107998ea36323e6adbb61fb192061

Not quite sure what to make of it

fproulx-boostsecurity avatar Mar 14 '24 20:03 fproulx-boostsecurity

Hey @fproulx-boostsecurity! The script basically creates a test repo and shows that values of the ${{ github.event }} object are "frozen" at the moment of running the workflow (or rather emitting the event I guess). This behaviour is rather an edge-case but I've seen a couple of subtle vulnerabilities because of that.

nikitastupin avatar Mar 15 '24 16:03 nikitastupin

hmmm OK. so you mean if there is a race condition between the content of github.event used in some boolean logic to apply something, while the underlying repo state has already changed.... interesting to consider indeed. I guess certain things are frozen (Git commit sha , ref, etc.) but maybe other things could change around and could lead to non obvious bugs

Cool. If you are willing to share one such example (in DM if you want, let me know) https://twitter.com/francoisproulx/

fproulx-boostsecurity avatar Mar 19 '24 22:03 fproulx-boostsecurity

Yes, that's how it works in general. So far I have only one example and it's not fixed yet so unfortunately I can't disclose for now :)

nikitastupin avatar Mar 22 '24 11:03 nikitastupin

Thanks for https://boostsecurityio.github.io/lotp/ by the way! I ought to add it to the README

nikitastupin avatar Mar 22 '24 11:03 nikitastupin

So in summary to find issues of this class one should look for the following?

pull_request_target on the labeled trigger only + actions/checkout with ref: ${{ github.event.pull_request.head.ref }} and repository: ${{ github.event.pull_request.head.repo.full_name }} + the workflow runs the PR code

(or any variation of the above)

AdnaneKhan avatar Apr 07 '24 02:04 AdnaneKhan

So in summary to find issues of this class one should look for the following?

pull_request_target on the labeled trigger only + actions/checkout with ref: ${{ github.event.pull_request.head.ref }} and repository: ${{ github.event.pull_request.head.repo.full_name }} + the workflow runs the PR code

(or any variation of the above)

Yes, that's right!

nikitastupin avatar Jun 11 '24 18:06 nikitastupin

It's basically a TOCTOU vulnerability

nikitastupin avatar Jun 11 '24 18:06 nikitastupin

It's basically a TOCTOU vulnerability

Ended up writing a tool + demo repo to make this easy to exploit (https://github.com/AdnaneKhan/ActionsTOCTOU/)

AdnaneKhan avatar Jun 11 '24 19:06 AdnaneKhan

Looks awesome! We should add this and the other recent blog posts to the README! (shoot wrong account 😅)

nikitastupin-openzeppelin avatar Jun 12 '24 16:06 nikitastupin-openzeppelin

Done https://github.com/nikitastupin/pwnhub/commit/aa736f201a4f5350df7ddfbafda4300a9f40bd31

nikitastupin avatar Jun 12 '24 17:06 nikitastupin