Dangerous workflows: detect refs

[laurentsimon]

Workflows that use labels to enforce reviews before running test on pull_request_targets checkout the repo with ref: ${{github.event.pull_request.head.sha}}. One mistake some developers make is use ref: ${{github.event.pull_request.head.ref}} instead, which is subject to a TOCTOU attack.

1. Maintainer reviews the RP code and adds a label
2. Attacker pushes different code before the workflow is triggered / the repo is checked out.

Scorecard can detect these as part of the dangerous workflow check.

[spencerschrock]

Scorecard currently detects both patterns as part of Dangerous workflows. In fact, we're currently getting dinged with it:

"checks": [
    {
      "details": [
        "Warn: untrusted code checkout '${{ github.event.pull_request.head.sha }}': .github/workflows/integration.yml:45"
      ],
      "score": 0,
      "reason": "dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    }
  ],

I assume the intended behavior should be? not dangerous: github.event.pull_request.head.sha dangerous: github.event.pull_request.head.ref

[laurentsimon]

yes you're correct @spencerschrock I think we do catch it today. sha is secure if used the code is not run afterwards or if labels / env are applied prior to run. I'm not 100% sure if we can capture all the distinction, though. We already detect the use of env, but not labels, for example.

[github-actions[bot]]

Stale issue message - this issue will be closed in 7 days

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.

[github-actions[bot]]

This issue has been marked stale because it has been open for 60 days with no activity.