Description
Description of the issue
There is a newer variation of GitHub Actions TOCTOU vulnerabilities known as "Workflow dispatch TOCTOU" - I wrote about a real-world example in a recent bug report writeup:
https://adnanthekhan.com/posts/dependabot-core-toctou-writeup/
I think this is a good candidate for a High detection where a PR has the following characteristics:
- Runs on workflow dispatch / repository dispatch with the PR number as an input parameter. Does NOT require a commit SHA.
- Checks out code from that PR without some approval check.
- Runs code.
High because there is a lot of context required to understand if a maintainer would actually ever run the workflow on a fork, and that is not possible to determine via static analysis alone.
I believe this would require some code changes in the library code - adding a concept of a non externally triggered workflow that is intended to act upon untrusted code. This could then fire the UntrustedCheckoutTOCTOU alert