changed-files icon indicating copy to clipboard operation
changed-files copied to clipboard
verified publisher icon tj-actions

Questions about security vulnerability

Open crenshaw-dev opened this issue 11 months ago • 4 comments

Thanks for the quick follow-up to the recent compromise! The hardening steps give me a lot of confidence that the same thing won't happen again.

I have some additional questions:

  1. Does anyone have a copy of the malicious code? That would be the easiest way to confirm that my pinned actions didn't include the vulnerable code. It looks like the malicious commit has been removed from Github.
  2. Why recommend that people upgrade to the latest version? Is there any reason to believe that the malicious commit may still be present in, for example, branches or tags that people are referencing from their actions?
  3. Would it be possible to unlock the issue discussing the exploit? As far as I can tell, everyone is being respectful. I think it would be a great place for folks to discuss how we can all improve our CI setups.

Thanks again!

crenshaw-dev avatar Mar 17 '25 14:03 crenshaw-dev

Oops. My first question is answered by the first post on the linked issue. The reporter copy/pasted the malicious code. Would still be nice to see the commit, but I understand why it's not available via the Github UI.

crenshaw-dev avatar Mar 17 '25 16:03 crenshaw-dev

For 2, the recommendation has been updated on the README to continue to use the tagged versions, and update to the latest version is not required.

xprnvd avatar Mar 18 '25 04:03 xprnvd

GitHub docs say:

Using the commit SHA of a released action version is the safest for stability and security. https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses

Given that this repo was just compromised, why is the recommended action to keep using the tags, which can presumably be compromised again?

jshields avatar Mar 18 '25 16:03 jshields

Would it be possible to unlock the https://github.com/tj-actions/changed-files/issues/2464? As far as I can tell, everyone is being respectful.

Strongly agree, though now I guess this thread can be the discussion place. I don't think locking conversations is ever good practice, unless things are seriously seriously out of control, which I've only seen a handful of times in my many years on GitHub.

I have a somewhat widely used software package that includes the verify-changed-files action (not this one technically). I wanted to verify that that action wouldn't be able to suffer the same fate as this one?

From what I can tell, the exploit was a malicious commit and then also changing a bunch of tags to point to that commit? Personally I'll be switching to a specific commit hash for my installation, just to be extra safe.

vincerubinetti avatar Mar 18 '25 17:03 vincerubinetti

I wish that tj-action adds a bot-generated issue to all Github projects using tj-action/changed-files. A lot of the 22k affected Github projects did not yet notice the leak impacting them.

jidhub avatar Mar 19 '25 09:03 jidhub

As per the SECURITY.md, I think there should be a security advisory released for users.

josegonzalez avatar Mar 20 '25 16:03 josegonzalez

Hi @josegonzalez , yes there is a security advisory, CVE-2025-30066 was released to notify all affected users

jackton1 avatar Mar 22 '25 04:03 jackton1

Thanks. Not sure why it isn't showing up here though?

josegonzalez avatar Mar 22 '25 14:03 josegonzalez

It should be available here https://github.com/tj-actions/changed-files/security/advisories/GHSA-mw4p-6x4p-x5m5 now.

jackton1 avatar Mar 22 '25 16:03 jackton1