You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR: if: github.actor == 'dependabot[bot]' can be exploited if it's composed with a dangerous trigger (like pull_request_target), since an attacker can open up a PR that's been manipulated such that the last actor/activity on the PR is Dependabot.
dependabot, dependabot[bot], and renovate[bot] are probably the main ones.
We can emit normal findings when the if: condition is trivially a bot condition, e.g. if: github.actor == 'dependabot[bot]'
We can emit pedantic findings if the if: condition contains a bot condition, but isn't trivially one, e.g. if: github.actor == 'dependabot[bot]' && something-else
TL;DR:
if: github.actor == 'dependabot[bot]'
can be exploited if it's composed with a dangerous trigger (likepull_request_target
), since an attacker can open up a PR that's been manipulated such that the last actor/activity on the PR is Dependabot.dependabot
,dependabot[bot]
, andrenovate[bot]
are probably the main ones.Ref: https://www.synacktiv.com/publications/github-actions-exploitation-dependabot
The text was updated successfully, but these errors were encountered: