webex
Action pull-request.yml possibly vulnerable to RCE
Describe the bug The pull-request.yml is vulnerable to RCE via a malicious PR
https://github.com/webex/webex-js-sdk/blob/next/.github/workflows/pull-request.yml
See more information in the github blog https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
To Reproduce Steps to reproduce the behavior:
While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow: - name: Checkout Project uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }}
Checks out the PR, which may contain malicious data. Then it runs yarn, which uses local data, and may lead to RCE: - name: Install Dependencies run: yarn
Expected behavior May consider not using the pull_request action or a different flow to invoke yarn.
Screenshots If applicable, add screenshots to help explain your problem.
Platform (please complete the following information):
- OS: Linux platforms
- Browser independent
- Version independed
Additional context No additional context but refer to the github best practices
