Commit Time Checks 🔒 🕐 #315
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Time Checks and Safety
This pull request implements a new method called
commitSafetyChecks()that checks the safety of a commit based on the commit date and the date of the trigger comment. This method will be executed on all.deployor.noopinvocations and will effectively harden workflows against Time of Check to Time of Use (TOCTOU vulnerabilities). TOCTOU vulns prior to this PR would only exist in repos where this Action is being run in contexts that don't require any PR approvals, or CI checks.What is TOCTOU?
If you were to comment
.deployto trigger a deployment and then push a malicious commit to the same PR, this Action would try to deploy the malicious commit. This happens because theissue_commentworkflow contexts does not send the SHA in its payload, so this Action looks at the latest commit on the branch instead. So if a bad actor was waiting for you to.deploytheir pull request, they could attempt to push an evil commit right after that comment, and hope their commit gets picked up and deployed. However, if you are using this Action with either CI checks, or PR approvals, TOCTOU exploits would be denied. This is because that malicious commit would not pass checks required for deployments, hooray!That being said, if your project has no required CI checks, or PR approvals, you could be vulnerable to this kind of vulnerability.
This PR helps to hedge against a possible TOCTOU attack (even in the case of misconfigured repos). This PR fixes the issue by rejecting the deployment of any commit that is made after the trigger comment is made. The Action will immediately reject the deployment if the commit is made after the trigger comment and it will leave its own comment on the pull request letting you know why. (see example below)
Edit: it should be noted that this PR does not fully protect again TOCTOU as commit dates can be set by the user pushing them. For example, you could push a commit that appears to be in the past (or before the
.deploycomment) and those would be deployed. To fully protect yourself against this, simply require pull request reviews so that changes must be approved before they can be deployed.Example 📸