search

GitHubSecurityLab / actions-permissions

GitHub token permissions Monitor and Advisor actions
MIT License
256 stars 20 forks source link

Monitor action’s proxy messing up SSL certificate authority validation for other actions? #4

Closed remi closed 1 year ago

remi commented 1 year ago

When using the GitHubSecurityLab/actions-permissions/monitor@v1 action in a simple Elixir workflow:

- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v3
- uses: erlef/setup-beam@v1
  with:
    version-file: .tool-versions # (which contains erlang 25.2.1 + elixir 1.14.3-otp-25)
    version-type: strict
- run: mix deps.get

The mix deps.get action (which fetches package information from https://repo.hex.pm) fails with this error:

Notice: 13:26:50.055 [notice] TLS :client: In state :certify at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA
{:failed_connect, [{:to_address, {'repo.hex.pm', 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, 'TLS client: In state certify at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}]}

When removing the GitHubSecurityLab/actions-permissions/monitor@v1 action, mix deps.get works as expected.

My guess is that it’s related to the way mitmproxy intercepts HTTPS requests.

Is there any more information I can provide to help you guys fix this?

Thank you! ✌️

JarLob commented 1 year ago

Thank you for reporting it. Is it ubuntu based runner?

What I found during development that different language runtimes use different env variables for using the registered self signed certificate, like NODE_EXTRA_CA_CERTS for Node.js or REQUESTS_CA_BUNDLE for Python requests library: https://github.com/GitHubSecurityLab/actions-permissions/blob/a1f1ca6cc96c0f59f3ddcf212cc6493e9c73cdfb/monitor/setup.sh#L111-L114

Is the deps.get written in Erlang? If it has a similar env to set, then it is something the Monitor action should do. But it is sad not everyone is detecting locally installed CA: https://github.com/GitHubSecurityLab/actions-permissions/blob/a1f1ca6cc96c0f59f3ddcf212cc6493e9c73cdfb/monitor/setup.sh#L108-L110

remi commented 1 year ago

There is! HEX_CACERTS_PATH 🎉

I’ll send a pull request with the change.