Cybersecurity researchers at Cider Security have unearthed a code review bypass threat impacting organizations that had not even enabled the recently introduced GitHub Actions feature.
To patch the loophole, Omer Gil and colleagues from security start-up Cider Security introduced multiple security mechanisms.
GitHub Actions provides a mechanism to build and run software development workflows all the way from development to production systems.
The authorization bypass weaknesses make it potentially possible for either a rogue developer or threat actors to self-approve pull requests, opening the door to planting malicious software into the tributaries that feed production software, researchers explained in a blog post on Medium.
Threat actors are only required to exploit a single user account before launching an attack, which relies on editing the permissions key in the workflow file.
Last year in October, Cider Security was cleared to reveal its stance on the security loophole, weeks before GitHub patched the bug. Additionally, GitHub has introduced a new policy setting that allows system administrators to control whether GitHub Actions can approve pull requests.
“This protects against a user using Actions to satisfy the ‘required approvals’ branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, allow GitHub Actions reviews to count towards required approval’ is enabled by default. However, an organization admin can disable it under the organization's Actions settings,” GitHub explained.
Additionally, GitHub recently introduced a new setting to fix this vulnerability; organization admins can now disallow GitHub Actions from approving pull requests.
This is an organization-wide setting, which by default allows Actions to approve pull requests in existing organizations, and disallows it in newly created organizations. This means that any organization that was created before this setting was introduced is still vulnerable unless the default setting is changed.
“We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests. We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests,” Cider Security concluded.