Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): prevent RCE in various workflows #17157

Closed
wants to merge 1 commit into from
Closed

feat(security): prevent RCE in various workflows #17157

wants to merge 1 commit into from

Conversation

RedYetiDev
Copy link
Contributor

CC @minggo

@github-actions GitHub Actions
Copy link

Interface Check Report

This pull request does not change any public interfaces !

@minggo
Copy link
Contributor

minggo commented Jun 17, 2024

@RedYetiDev thanks for the PR.

shaoqiangcai
shaoqiangcai approved these changes Jun 17, 2024
View reviewed changes
Copy link
Contributor

@shaoqiangcai shaoqiangcai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

his modification makes our actions more standardized

dumganhar
dumganhar reviewed Jun 17, 2024
View reviewed changes
.github/workflows/web-interface-check.yml
@@ -13,6 +13,7 @@ jobs:
if:
(! contains(github.event.pull_request.body, '[X] does not change any runtime related code or build configuration'))
runs-on: ubuntu-latest
environment: external
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @RedYetiDev , thanks for your contribution.
May I ask why do we need to set an environment variable external here ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting this value to external means that the workflow won't proceed without approval from a repository admin

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it mean the admin should manually to approve the action every time?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting this value to external means that the workflow won't proceed without approval from a repository admin

@RedYetiDev , we need the web-interface-check.yml run every time when Pull Request is updated even when it isn't approved.
So I don't know why should it have to be run after approval. Any specific security reasons?

Copy link
Contributor

@dumganhar dumganhar Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There will be an issue if we run this workflow after approval.

The old strategy:

  1. Developer send a pull request
  2. web-interface-check.yml will be run automatically
  3. Repo maintainer review the interface change comment sent by web-interface-check task
  4. Repo maintainer approved the Pull Request
  5. Pull Request was merged

If we mark the it as external, the flow will be

  1. Developer send a pull request
  2. web-interface-check.yml will not run.
  3. Repo maintainer approved the Pull Request
  4. Repo may forget to wait the web-interface-check.yml to finish and merge the Pull Request, the interface changes will not be reviewed.

So make the environment to external will let each maintainer notice that there is a task being run after approved, and it will be easily forgotten.

Copy link
Contributor Author

@RedYetiDev RedYetiDev Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry that this change wouldn't be the best anti-RCE method.

This file runs without approval, and uses local scripts, leading to RCE.

I'd suggest reworking the workflow to run on pull_request rather than pull_request_target.

I'm out-of-town right now, so I'll be unable to implement such a change.

Copy link
Contributor

@dumganhar dumganhar Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RedYetiDev ok,thanks for the advice, I will check that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the end, fix it here : #17264

@RedYetiDev Could you please help to review that PR? Thank you.

@RedYetiDev RedYetiDev closed this by deleting the head repository Jun 28, 2024
@dumganhar dumganhar mentioned this pull request Jul 1, 2024
Merged
6 tasks
@dumganhar
Copy link
Contributor

dumganhar commented Jul 1, 2024
edited
Loading

I found that this Pull Request was closed since the source repository was deleted.
I cherry-picked the the commit in this PR : #17258 and reverted the changes in web-interface-check.yml.

I will send another PR to resolve the RCE issue in web-interface-check.yml.

@RedYetiDev thanks for this PR.

@dumganhar dumganhar mentioned this pull request Jul 1, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minggo minggo minggo left review comments

@dumganhar dumganhar dumganhar left review comments

@shaoqiangcai shaoqiangcai shaoqiangcai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@RedYetiDev @minggo @dumganhar @shaoqiangcai