A newly uncovered security vulnerability in GitHub Actions allows software code to bypass the required reviews mechanism to a secured branch, allowing it into the pipeline to production.
Omer Gil and his team of researchers at security startup Cider Security discovered the flaw in GitHub actions during research into novel attack vectors in the arena of DevSecOps, which evades security protections and exists even in the installations of companies that have not enabled the recently introduced feature.
"An attacker compromising a GitHub user account, or simply a developer that wants to bypass this restriction, can simply push code to a protected branch. Since code in protected branches is usually used in production systems by many users or by other systems, the impact is high," Gil explained.
Vulnerability in GitHub Actions
GitHub Actions is GitHub's continuous integration/continuous delivery offering, which offers a mechanism to automate, customize and implement software development workflows right in the repository from development to production systems, Cider Security explained in a blog post on Medium.
Furthermore, the GitHub Actions is installed by default on any GitHub organization, and on all of its repositories, and any user who has the privilege to push code to the repositories can design a workflow that operates when code is pushed.
“Anyone with write access to a repository can modify the permissions granted to the GITHUB_TOKEN, adding or removing access as required, by editing the permissions key in the workflow file,” Cider Security explained.
“As the PR is created, it cannot be merged since approval is required. However, the workflow immediately runs and the PR is approved by the GitHub-actions bot, which the GITHUB_TOKEN belongs to. It’s not an organization member, but counts as PR approval, and effectively allows the attacker to approve their own PR, basically bypassing the branch protection rules.,” Cider Security further said.
"The issue is not fixed. GitHub said they'll work on fixing it. I believe adversaries can definitely take advantage of this issue in their attempts to reach production systems and expand their hold in their victims' assets," Gil noted.
To mitigate the risks, Cider Security has advised organizations to consider disabling GitHub Actions across their whole enterprise or for particular (more sensitive) repositories. Additionally, the issue can be solved by requiring the approval of Code Owners, or by requiring two or more approvals to merge a pull request.