search

githubuniverseworkshops / workflow-script-injection

Understanding the risk of script Injections in GitHub Actions workflows
MIT License
4 stars 4 forks source link

readme

Understanding the risk of script injection in GitHub Actions workflows

@robandpdx
@decyjphr

PrerequisitesResourcesLearning Objectives

In this workshop we will learn about the risk of script injection in GitHub Actions workflows, and how to mitigate that risk.

Learning Objectives

In this workshop, you will:

:mega: Prerequisites

Before joining the workshop, there are a few items that you will need to install or bring with you.

:bomb: Exercise 1: Script injection in the run command

There are many issue ops things you can do with GitHub actions. A common use case is request/approval process:

  1. User opens an issue requesting X.
  2. If conditions are met, approval is automatic, and a GitHub actions workflow fulfills the request.

An example of this is request-repo-create.

In this example, user input from the issue body is parsed and used in the workflow as the name of the new repository to be created.

You should always be careful when using user inputs in your worfklows. User input can come from any of the following sources:

github.event.issue.title  
github.event.issue.body  
github.event.pull_request.title  
github.event.pull_request.body  
github.event.comment.body  
github.event.review.body  
github.event.review_comment.body  
github.event.pages.*.page_name  
github.event.commits.*.message  
github.event.head_commit.message  
github.event.head_commit.author.email  
github.event.head_commit.author.name  
github.event.commits.*.author.email  
github.event.commits.*.author.name  
github.event.pull_request.head.ref  
github.event.pull_request.head.label  
github.event.pull_request.head.repo.default_branch  
github.head_ref

The Check issue title workflow simply checks if the title (github.event.issue.title) of the workflow begins with octocat. If so, the workflow succeeds. If not, the workflow fails.

The Check issue title with action workflow uses an action that simply checks if the input of the action begins with octocat. If so, the action succeeds. If not, the action fails.

This workflow and action above are vulnerable to script injection. Let's find out why they are vulnerable, and how to exploit them. Exercise 1

:bomb: Exercise 2 - Script injection in github-script action

The Check issue comment workflow simply checks if the issue comment (github.event.comment.body) begins with octocat. If so, the workflow succeeds. If not, the workflow fails.

This workflow is vulnerable to script injection. Let's find out why it is vulnerable, and how to exploit it.
Exercise 2

:mag: Exercise 3 - Detect Script Injection using CodeQL

In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.

In CodeQL, the Javascript language extractor includes support for YAML and the libraries support Actions framework. GitHub also provides queries for some common CWEs in Actions Workflows.

GitHub Advanced Security uses CodeQL as the tool for Code Scanning. Code Scanning creates security alerts when vulnerabilties are found. These alerts can be viewed in GitHub and can block merges in protected branches. When a developer fixes a vulnerability, GitHub willl automatically close the alert as resolved.

In the next exercise we will learn how CodeQL can detect Script Injection in GitHub Actions Workflows and understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities in Workflows.

Exercise 3

:lock: Exercise 4 - Fixing the script injection vulnerability in the run command

Now let's learn how to mitigate the script injection vulnerability in the run command.
Exercise 4

:lock: Exercise 5 - Fixing the script injection vulnerability in github-script action

Now let's learn how to mitigate the script injection vulnerability in the github-script action.
Exercise 5

:european_castle: Exercise 6 - Enhance the detection of vulnerabilities using third party queries

We know CodeQL is a perfect tool for detecting vulnerablities because:

In the next exercise we will explore how to expand the coverage by using third party queries to detect unpinned actions in Workflows.

Exercise 6

:european_castle: Exercise 7 - Enhance the detection of vulnerabilities using custom party queries

In the next exercise we will explore how to expand the coverage by using custom queries to detect improper use of AWS credentials in Workflows.

Exercise 7

:books: Resources

You can learn about script injections at Understanding the risk of script injections

You can learn about security hardening for GitHub Actions at Security hardening for GitHub Actions

You can find examples of CodeQL queries at CodeQL queries

You can find CodeQL tutorials in our CodeQL documentation. The tutorials introduce concepts that you can use this codespace to practice.

We also have CodeQL language guides to help you experiment and learn how to write effective and efficient queries for CodeQL databases generated from the languages supported in CodeQL analysis.

You can prepare for certification in GitHub Advanced Security and Code Scanning by visiting the Microsoft Learning Page for Advanced Security.

You can learn about Codespaces at Codespaces