Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New audit: bot conditions #170

Closed
woodruffw opened this issue Nov 18, 2024 · 1 comment · Fixed by #460
Closed

New audit: bot conditions #170

woodruffw opened this issue Nov 18, 2024 · 1 comment · Fixed by #460
Assignees
Labels
new-audit New audits

Comments

@woodruffw
Copy link
Owner

TL;DR: if: github.actor == 'dependabot[bot]' can be exploited if it's composed with a dangerous trigger (like pull_request_target), since an attacker can open up a PR that's been manipulated such that the last actor/activity on the PR is Dependabot.

dependabot, dependabot[bot], and renovate[bot] are probably the main ones.

Ref: https://www.synacktiv.com/publications/github-actions-exploitation-dependabot

@woodruffw woodruffw added the new-audit New audits label Nov 18, 2024
@woodruffw woodruffw self-assigned this Nov 18, 2024
@woodruffw
Copy link
Owner Author

Spitballing:

  • We can emit normal findings when the if: condition is trivially a bot condition, e.g. if: github.actor == 'dependabot[bot]'
  • We can emit pedantic findings if the if: condition contains a bot condition, but isn't trivially one, e.g. if: github.actor == 'dependabot[bot]' && something-else

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new-audit New audits
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant