Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions #24

Open
5nafu opened this issue May 12, 2021 · 1 comment
Open

[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions #24

5nafu opened this issue May 12, 2021 · 1 comment

Comments

@5nafu
Copy link

5nafu commented May 12, 2021

When running the runner with

$ docker run --rm \
                     --name github-runner \
                     -e GITHUB_OWNER=5nafu \
                     -e GITHUB_REPOSITORY=sanderKnape_github-runner_env_exposure 
                     -e GITHUB_PAT=<TOKEN> \
                     -e RUNNER_LABELS=comma,separated,labels \
                     -e ARBITRARY_ENV=value \
                    sanderknape/github-runner

all environment variables supplied to the runner are exposed to the github actions. This includes (but is not limited) to the personal access token used to register a runner:

An attacker could use a malicious action to leak the tokens and thus gain access to the code.

Action:

name: Go
on:
  - push
jobs:
  debug:
    name: Output Debug
    runs-on: self-hosted
    steps:
    - name: Output simple environment
      run: >
        echo GITHUB_PAT: $GITHUB_PAT

Logs:

2021-05-12T13:41:32.5870992Z ##[group]Run echo GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV
2021-05-12T13:41:32.5872899Z �[36;1mecho GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV�[0m
2021-05-12T13:41:32.5884176Z shell: /bin/bash -e {0}
2021-05-12T13:41:32.5884735Z ##[endgroup]
2021-05-12T13:41:32.5941776Z GITHUB_OWNER: 5nafu echo GITHUB_REPOSITORY: 5nafu/sanderKnape_github-runner_env_exposure echo GITHUB_PAT: *** echo RUNNER_LABELS: comma,separated,labels echo ARBITRARY_ENV: value

You can check the action in 5nafu/sanderKnape_github-runner_env_exposure:.github/workflows/debug.yml and the output in /5nafu/sanderKnape_github-runner_env_exposure/actions/runs/835647428
@SanderKnape
Copy link
Owner

Any thoughts on how to deal with this? The env var is required to properly deregister the token when the container is terminated.

I see there is a request for hiding environment variables which would be most convenient, but that hasn't been implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@5nafu @SanderKnape