[Security research PoC — do not merge] Custard CI fork-PR trust-boundary probe#4290
Conversation
Adds a print-only before() hook that logs the presence of auth-related env vars (as booleans/suffixes only — no secrets, no network calls, no API requests, no side effects). Tests all existing assertions still pass. This PR is a security-research PoC intended to demonstrate the fork-PR trust boundary on custard-run.yaml. If accepted, please close; do not merge to main. Reference: g.co/vulnz submission in preparation.
product-auto-label
Bot
added
samples
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a security research proof-of-concept in the test suite that logs environment variables related to GCP authentication and project configuration. A security concern was raised regarding the logging of this metadata to standard output, as it could expose sensitive CI/CD environment details in public logs.
| console.log('GAC_IS_SET=' + !!process.env.GOOGLE_APPLICATION_CREDENTIALS); | ||
| console.log('GAC_PATH_SUFFIX=' + (process.env.GOOGLE_APPLICATION_CREDENTIALS || '').split('/').pop()); | ||
| console.log('GOOGLE_CLOUD_PROJECT=' + (process.env.GOOGLE_CLOUD_PROJECT || 'unset')); | ||
| console.log('GOOGLE_SAMPLES_PROJECT=' + (process.env.GOOGLE_SAMPLES_PROJECT || 'unset')); | ||
| console.log('SERVICE_ACCOUNT=' + (process.env.SERVICE_ACCOUNT || 'unset')); | ||
| console.log('CLOUDSDK_AUTH_ACCESS_TOKEN_SET=' + !!process.env.CLOUDSDK_AUTH_ACCESS_TOKEN); |
There was a problem hiding this comment.
Logging environment variables and their metadata (such as path suffixes or existence flags) to standard output is a security concern. This practice can expose sensitive configuration details of the CI/CD environment in public logs, which could be leveraged by an attacker. Even in a research PoC, it is best to avoid logging such information directly to the console.
|
Closing this research PoC. Withdrawing the probe; the structural pattern is fully demonstrable from the public workflow YAML and existing public Custard CI logs (run #24586751684). No live run is required for the VRP report. Apologies for the noise. |
1 participant
This PR is a benign, print-only probe submitted as part of a Google VRP submission in preparation on g.co/vulnz. It adds a
before()hook in thehelloworldGettest that logs a marker string plus the presence (as booleans / filename suffixes only) of auth-related environment variables set bycustard-run.yaml. No network calls, no secrets read, no GCP API invocations, no side effects — existing assertions still pass.What this demonstrates
.github/workflows/custard-run.yamlis triggered byworkflow_run: types: [in_progress]on "Custard CI" (which runs on barepull_request:), checks outgithub.event.workflow_run.head_sha, and executesmake test dir=…on PR code aftergoogle-github-actions/auth@v3has written the WIF credentials file forkokoro-system-test@long-door-651.iam.gserviceaccount.comto disk. This means arbitrary test code from any approved external contributor's PR executes inside the Custard CI test job withGOOGLE_APPLICATION_CREDENTIALSset.The marker strings emitted by this PR —
NODEJS_DOCS_SAMPLES_CI_TRUST_BOUNDARY_POC_20260419_MHDSAIT— will appear in the public CI run log if the workflow executes, providing live evidence that fork test code runs with auth context. That log reference will be included verbatim in the upcoming VRP submission.Precedent
Same supply-chain class as:
GoogleCloudPlatform/magic-modules— VRP $31,337 (Divyanshu, 2023)data-integrations/*+cdapio/*— VRP $15,000 (CDAP multi-repo, 2024)GoogleCloudPlatform/microservices-demo/ci-pr.yaml— VRP submission 497433408 (Apr 2026)The
microservices-demosubmission is on a different workflow (pull_requesttrigger, self-hosted GCE runners, GKE deploy), and itsif: head.repo.full_name == github.repositoryfix does not apply tocustard-run.yaml(different trigger, different runner, different auth path). Separate root cause, separate mitigation.Action requested
If the first-time-contributor approval gate blocks the run, a triager from Google VRP / g.co/vulnz will be able to approve the one-off run after review. No merge requested. Happy to close immediately once the log capture is complete.
Reporter: @mohammadmseet-hue — mohammadmseet@gmail.com