Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 fix dangerous workflow test and workflow parsing #1283

Merged
merged 8 commits into from
Nov 20, 2021

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Nov 16, 2021

Signed-off-by: Asra Ali [email protected]

  • Please check if the PR fulfills these requirements
  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • Fixes unit test for dangerous workflow

  • Fixes small issue with workflow parsing the trigger.

  • What is the current behavior? (You can also link to an open issue here)

  • What is the new behavior (if this is a feature change)?

  • dangerous workflow check succeeds for system/systemd where before it wouldn't recognize a list of event triggers (seems to parse as []interface{} rather than []string)

  • https://github.com/systemd/systemd/blob/2ec0c4f94de7091c2f4fdf76742bb793d64de781/.github/workflows/labeler.yml#L7-L8

  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

  • Other information:

Signed-off-by: Asra Ali <[email protected]>
@asraa
Copy link
Contributor Author

asraa commented Nov 16, 2021

Fixes #1257 (comment) dangerous workfow check on systemd btw @evverx

@asraa
Copy link
Contributor Author

asraa commented Nov 16, 2021

Still planning on moving to the other parser, just figured i'd fix this bug while it's here

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@evverx
Copy link
Contributor

evverx commented Nov 16, 2021

I can confirm that the issue is gone. Thanks!

@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) November 17, 2021 04:39
@asraa
Copy link
Contributor Author

asraa commented Nov 17, 2021

@azeemshaikh38 is there a known issue with the e2e token?

@naveensrinivasan
Copy link
Member

@azeemshaikh38 is there a known issue with the e2e token?

Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that.

@azeemshaikh38
Copy link
Contributor

@azeemshaikh38 is there a known issue with the e2e token?

Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that.

Let's not turn off e2e tests to merge PRs please. What is the issue with the token exactly? Can we fix that first before we merge this in?

@naveensrinivasan
Copy link
Member

@azeemshaikh38 is there a known issue with the e2e token?

Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that.

Let's not turn off e2e tests to merge PRs please. What is the issue with the token exactly? Can we fix that first before we merge this in?

I don't know. I would have to investigate. I can turn it back on.

@azeemshaikh38
Copy link
Contributor

@azeemshaikh38 is there a known issue with the e2e token?

Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that.

Let's not turn off e2e tests to merge PRs please. What is the issue with the token exactly? Can we fix that first before we merge this in?

I don't know. I would have to investigate. I can turn it back on.

Looks like a common issue:

The workaround is very complicated AFAICT. How about we remove the update comment part of the e2e workflows? That should unblock us. Wdyt @naveensrinivasan?

@azeemshaikh38
Copy link
Contributor

@azeemshaikh38 is there a known issue with the e2e token?

Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that.

Let's not turn off e2e tests to merge PRs please. What is the issue with the token exactly? Can we fix that first before we merge this in?

I don't know. I would have to investigate. I can turn it back on.

Yes, do turn it back on. Thanks Naveen!

@evverx
Copy link
Contributor

evverx commented Nov 17, 2021

Looks like a common issue:

If it's similar to the "labeler" action it could probably be fixed by simply switching to "pull_request_target" instead of "pull_request". As far as I can see, judging by https://github.com/peter-evans/create-or-update-comment#action-inputs

In public repositories this action does not work in pull_request workflows when triggered by forks. Any attempt will be met with the error, Resource not accessible by integration. This is due to token restrictions put in place by GitHub Actions ... Alternatively, use the pull_request_target event to comment on pull requests.

That would certainly be a dangerous workflow though given that there is a checkout somewhere :-) Another option would be to switch to workflow_run mentioned at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Together with the pull_request_target, a new trigger workflow_run was introduced to enable scenarios that require building the untrusted code and also need write permissions to update the PR with e.g. code coverage results or other test results. To do this in a secure manner, the untrusted code must be handled via the pull_request trigger so that it is isolated in an unprivileged environment. The workflow processing the PR should then store any results like code coverage or failed/passed tests in artifacts and exit.

It's an interesting coincidence that the PR related to dangerous workflows triggered an issue related to dangerous workflows :-)

@azeemshaikh38
Copy link
Contributor

Looks like a common issue:

If it's similar to the "labeler" action it could probably be fixed by simply switching to "pull_request_target" instead of "pull_request". As far as I can see, judging by https://github.com/peter-evans/create-or-update-comment#action-inputs

In public repositories this action does not work in pull_request workflows when triggered by forks. Any attempt will be met with the error, Resource not accessible by integration. This is due to token restrictions put in place by GitHub Actions ... Alternatively, use the pull_request_target event to comment on pull requests.

That would certainly be a dangerous workflow though given that there is a checkout somewhere :-) Another option would be to switch to workflow_run mentioned at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Together with the pull_request_target, a new trigger workflow_run was introduced to enable scenarios that require building the untrusted code and also need write permissions to update the PR with e.g. code coverage results or other test results. To do this in a secure manner, the untrusted code must be handled via the pull_request trigger so that it is isolated in an unprivileged environment. The workflow processing the PR should then store any results like code coverage or failed/passed tests in artifacts and exit.

It's an interesting coincidence that the PR related to dangerous workflows triggered an issue related to dangerous workflows :-)

Thanks @evverx very helpful as always :) I'm thinking of removing the update comment step from the workflow as a quick fix to merge this PR in. We should file an issue to look into this further.

@asraa could you comment out this step in your PR and see if that unblocks you from submitting - https://github.com/ossf/scorecard/blob/main/.github/workflows/integration.yml#L100

@asraa
Copy link
Contributor Author

asraa commented Nov 18, 2021

Looks its still failing on missing the auth token this when it tries to check-env, despite being set here, I think.

GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}

@azeemshaikh38
Copy link
Contributor

Looks its still failing on missing the auth token this when it tries to check-env, despite being set here, I think.

GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}

Argh! This is frustrating - https://docs.github.com/en/actions/security-guides/encrypted-secrets. Will look into it. If I can't resolve this by tomo will force submit this PR myself.

@azeemshaikh38
Copy link
Contributor

Looks its still failing on missing the auth token this when it tries to check-env, despite being set here, I think.

GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}

Argh! This is frustrating - https://docs.github.com/en/actions/security-guides/encrypted-secrets. Will look into it. If I can't resolve this by tomo will force submit this PR myself.

Ok, so this is my understanding so far based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/:

@asraa @laurentsimon @naveensrinivasan for any feedback to ensure I'm not missing anything here. Will be sending out a PR to fix this, can also discuss over there.

@laurentsimon
Copy link
Contributor

Looks its still failing on missing the auth token this when it tries to check-env, despite being set here, I think.

GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}

Argh! This is frustrating - https://docs.github.com/en/actions/security-guides/encrypted-secrets. Will look into it. If I can't resolve this by tomo will force submit this PR myself.

Ok, so this is my understanding so far based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/:

@asraa @laurentsimon @naveensrinivasan for any feedback to ensure I'm not missing anything here. Will be sending out a PR to fix this, can also discuss over there.

related note: @asraa looks like to remove false positive for dangerous workflows check in this case, we need to check the permissions set in the repo (pull_request_target + ref + permissions set seems fine). Let's create a tracking issue. Once we merge Token-Permissions into Dangerous workflows, it will make it easier to implement.
Trickier to remove false positive for secrets used in protected env.

@asraa
Copy link
Contributor Author

asraa commented Nov 19, 2021

created issue #1311 to track.

@azeemshaikh38 azeemshaikh38 temporarily deployed to integration-test November 19, 2021 23:50 Inactive
@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) November 19, 2021 23:50
@github-actions
Copy link

Integration tests success for
[bcb35f5]
(https://github.com/ossf/scorecard/actions/runs/1483177334)

@azeemshaikh38
Copy link
Contributor

Ok, looks like the protected environment is working. Phew!

@naveensrinivasan
Copy link
Member

Ok, looks like the protected environment is working. Phew!

Yes!! Thanks

@azeemshaikh38 azeemshaikh38 merged commit 730076f into ossf:main Nov 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants