Workflows disabled pending vulnerability investigation #57
Comments
joeyparrish
added
type: bug
|
Default permissions for workflows have been fixed organization-wide. Some workflows now need to have permissions added selectively. |
Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This exploit was discovered by a researcher, and the researcher's activity was spotted within hours. Workflows were immediately suspended. No evidence has been found of any tampering in this repository or its releases. Issue shaka-project#57
Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This exploit was discovered by a researcher, and the researcher's activity was spotted within hours. Workflows were immediately suspended. No evidence has been found of any tampering in this repository or its releases. Issue #57
Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This also changes the location of the file, to match its location in other projects. Note that this workflow is not currently giving any elevated permissions to users, so it is not currently possible to damage the repo through a PR. But this might have been possible in the past, due to organization-wide defaults for token permissions (recently fixed). No evidence has been found of past exploit. See also shaka-project/shaka-streamer#216 and shaka-project/static-ffmpeg-binaries#57
|
Workflows have been fully audited and re-enabled for this repository. A full discussion of the workflow vulnerability will follow soon. |
TL;DRAbove all else, I want to emphasize this: A vulnerability was found in one of our workflows, not our source code or binaries. The vulnerability was discovered by a researcher who reported it to Google and did not damage anything. Workflows were suspended within hours, and no evidence of compromise has been found in any repos in the weeks I've been working on this. If you want more details, read on. Questions are welcome. The main vulnerabilityThe vulnerability relied on two main things:
Versions of those two things were found in several other repos across shaka-project. As soon as the exploit PR was noticed on shaka-streamer, workflows were paused on shaka-streamer and static-ffmpeg-binaries (both used the exact same pattern). This gave me time to investigate the PR, what it did, and how. The exploit PR replaced Because the default token was read-write, the PR author was able to use that token to make live calls to the GitHub API to create a new release as a proof of concept. They could just as easily have modified an existing release, replaced attached binaries on that release, pushed a new branch, pushed to an existing unprotected branch, or created or modified tags. The MitigationsReduce default token permissionsThe repositories and the organization itself all had their default token permissions set to read-write, as in this screenshot:
So the first mitigation was to update all repository settings, first at the organization, then per-repo in each one I had a fork of. This was done with the Next, I engaged in a systematic review of all repositories and workflows. There are 16 active repos under shaka-project, with many workflows each. I prioritized the most popular/active repositories, as well as those whose maintainers were waiting to make immediate releases. The default tokens were all basically safe now, but some workflows used non-default tokens for special actions or to do work as specific actors (like @shaka-bot). I made a list of workflows using non-default tokens, and checked how those workflows could be triggered. All were triggerable by maintainers, schedule, or commits to main, and none were exploitable by PRs or any code that had not been reviewed and merged. Add back granular permissionsThe new default token permissions had crippled some workflows that depended on those implicit permissions. So for each workflow, I triggered it, either on the main repo or on my fork, as appropriate. For the ones that failed, I added explicit, granular, and minimal permissions, isolated to the job. Prevent JSON module code injectionOur (lazy) use of This was the only code injection used by the researcher, but this was not the only possible path to code injection discovered during the full audit. In a couple of cases, a job was too big and complex and mixed actions that involved PR-controlled code with actions that required privileges. These were split up to isolate permissions, with minimal state transferred between jobs, e.g. by something like Avoid persisted credentials in
|
joeyparrish
added
type: vulnerability
A vulnerable workflow exposed this repo to risk of manipulation. All GitHub Actions have been disabled pending investigation of this vulnerability.
Existing releases, tags, and branches are clean and have not been poisoned. MD5 sums in release notes can be used to check your binaries. Binaries released via shaka-streamer-binaries on PyPi are also clean.
The text was updated successfully, but these errors were encountered: