[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions

When running the runner with

$ docker run --rm \
                     --name github-runner \
                     -e GITHUB_OWNER=5nafu \
                     -e GITHUB_REPOSITORY=sanderKnape_github-runner_env_exposure 
                     -e GITHUB_PAT=<TOKEN> \
                     -e RUNNER_LABELS=comma,separated,labels \
                     -e ARBITRARY_ENV=value \
                    sanderknape/github-runner

all environment variables supplied to the runner are exposed to the github actions. This includes (but is not limited) to the personal access token used to register a runner:

An attacker could use a malicious action to leak the tokens and thus gain access to the code.

Action:

name: Go
on:
  - push
jobs:
  debug:
    name: Output Debug
    runs-on: self-hosted
    steps:
    - name: Output simple environment
      run: >
        echo GITHUB_PAT: $GITHUB_PAT

Logs:

2021-05-12T13:41:32.5870992Z ##[group]Run echo GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV
2021-05-12T13:41:32.5872899Z [36;1mecho GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV[0m
2021-05-12T13:41:32.5884176Z shell: /bin/bash -e {0}
2021-05-12T13:41:32.5884735Z ##[endgroup]
2021-05-12T13:41:32.5941776Z GITHUB_OWNER: 5nafu echo GITHUB_REPOSITORY: 5nafu/sanderKnape_github-runner_env_exposure echo GITHUB_PAT: *** echo RUNNER_LABELS: comma,separated,labels echo ARBITRARY_ENV: value

You can check the action in 5nafu/sanderKnape_github-runner_env_exposure:.github/workflows/debug.yml and the output in /5nafu/sanderKnape_github-runner_env_exposure/actions/runs/835647428

SanderKnape / github-runner

[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions #24

Action:

Logs: