Git Product home page Git Product logo

Comments (3)

zesterer avatar zesterer commented on August 18, 2024

I'd be interested in seeing a PR, although this crate's CI doesn't meaningfully interact with the outside world and I personally check every PR before approving a CI run, so I think the opportunities for exploitation are limited.

from spin-rs.

diogoteles08 avatar diogoteles08 commented on August 18, 2024

Hey Joshua, thanks for the reply. I'll be creating the PR shortly.

this crate's CI doesn't meaningfully interact with the outside world and I personally check every PR before approving a CI run, so I think the opportunities for exploitation are limited.

Your reviews on every PRs are really great, indeed help on the security on the repo and you should definitely continue doing that! But on the specific case of workflows external jobs it might not be enough, because the exploitation could actually come from changes on the code of the job you called.

To exemplify, note that on the rust.yml file you have uses: taiki-e/install-action@cargo-hack. This part is running code from a version of the action defined on the https://github.com/taiki-e/install-action repo. This could be dangerous for your repo because:

  1. AFAIU by reading the taiki-e repo, calling uses: taiki-e/install-action@cargo-hack does not pin the version of the code, so you would be always running the latest version. This means that you would be exposed in case this repo releases a compromised or erroneous code.
  2. If you don't declare the permissions, you might be running the external code with write permissions. So the code could run git commit and git push towards your repo, for example.
  3. Depending on your Branch protection settings, the push commands could succeed and push malicious code into you main branch.

The change that I initially purposed (updating workflow permissions) would already prevent this flow by limiting the permissions on the workflows. Additionally, my example went through some minor security risks that I would also be available and happy to help solving. Those would be:

  1. Specify the version of every external job you run.
  2. Determine branch protection rules for you main branch. E.g., there is a rule that requires PRs to merge code into the branch, preventing malicious direct pushes

Let me know your thoughts

from spin-rs.

zesterer avatar zesterer commented on August 18, 2024

As mentioned, I'm happy to review a PR that changes workflow permissions. Thanks for your time.

from spin-rs.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.