Skip to content

Fix insecure workflow. #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 28, 2021
Merged

Fix insecure workflow. #297

merged 1 commit into from
Jul 28, 2021

Conversation

intrigus-lgtm
Copy link

Actions triggered on "issue_comment" have access to
write permissions and repository secrets by default.
If we checkout and build untrusted code an attacker
can get access to the secrets as well. They can exe-
cute code by adding a jekyll ruby plugin in
"_plugins/malicious.rb".

To prevent this, we split the building of the site
and pushing the site to gh-pages and commenting on
the PR.

The site building is done with only read
permissions, so running untrusted code is not a
problem. If the site building finished successfully
a privileged action is triggered that then pushed
the site to the gh-pages branch and comments on the
PR.

I also added a check that prevents pushing
".github/workflows/" files to the gh-pages branch, because
this would allow secret extraction and repository modification as well.
(If you can add new workflows files you do what every you want inside them)

@intrigus
Fix insecure workflow.
0349e92 
Actions triggered on "issue_comment" have access to
write permissions and repository secrets by default.
If we checkout and build untrusted code an attacker
can get access to the secrets as well. They can exe-
cute code by adding a jekyll ruby plugin in
"_plugins/malicious.rb".

To prevent this, we split the building of the site
and pushing the site to gh-pages and commenting on
the PR.

The site building is done with only read
permissions, so running untrusted code is not a
problem. If the site building finished successfully
a privileged action is triggered that then pushed
the site to the gh-pages branch and comments on the
PR
@certik certik requested a review from LKedward July 27, 2021 20:04
@certik
Copy link
Member

certik commented Jul 27, 2021

@intrigus-lgtm thank you so much for this. We all really appreciate it! I'll let @LKedward review it.

LKedward
LKedward approved these changes Jul 27, 2021
View reviewed changes
Copy link
Member

@LKedward LKedward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for this. As per our previous conversation, this all looks good to me 👍

@LKedward LKedward requested a review from awvwgk July 27, 2021 20:46
milancurcic
milancurcic approved these changes Jul 28, 2021
View reviewed changes
Copy link
Member

@milancurcic milancurcic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @intrigus-lgtm!

@milancurcic milancurcic merged commit ee839ee into fortran-lang:master Jul 28, 2021
@intrigus-lgtm intrigus-lgtm deleted the fixInsecureAction branch July 28, 2021 09:21
@milancurcic milancurcic mentioned this pull request Sep 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@milancurcic milancurcic milancurcic approved these changes

@LKedward LKedward LKedward approved these changes

@awvwgk awvwgk awvwgk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@intrigus-lgtm @certik @milancurcic @LKedward @awvwgk @intrigus