Author Archives: Aidan Novia

GitHub workflow vulnerabilities

https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/ , https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project

Today I want to talk about a blog post I found on GitHub own blog site that details the proper measures to protect repositories against malicious action injections to further protect our repositories and properly enforce standards to safe guard our intellectual property and information.

But first I want to go into detail about what the consequences of a action injection are and what this attack does and how this attack works. The main goal of the attack is for the attacker to have a command ran through one of the workflows in in the repository. This can be done by the attacker creating a branch or issue and this being ran and through this it is executed through a run portion of the workflow. So if you have a automation for when someone creates a issue, the bad actor can put a piece of malicious code in the title and because this title is ran through the workflow and executed which can give a bad actor permissions that they shouldn’t have under normal circumstances, this can even get to the point of them approving their own pull requests.

So the question remains is how to stop this? The answer is environment variables which allows the inputted data like the title of the issue to become untrusted and prevent the run in the workflow being ran with the malicious code. Using the proper standards like environment variables for API’s and other pieces of information is crucial as well to maintain proper change control standards. If these standards aren’t followed this can desecrate the integrity of the repo itself since if a malicious change goes unnoticed early on in development this can lead to the branches later one and other contributors repos and branches becoming compromised as well.

I chose this blog post due to my own internship mainly using automated systems for workflows and we have our own GitHub workflow that documents change control requests for the reason we can see when a push that might compromise information or other systems will be made. Furthermore we can reverse these changes and have workflows that try to detect attacks similar to this where a title through machine learning is detected. This is also important to understand in the class when working with a public repositories where these attacks might be botted to be more educated on when to properly test branches and the proper use of environment variables in a project to further protect the repo.

From the blog CS@Worcester – Aidan's Cybersection by Aidan Novia and used with permission of the author. All other rights reserved by the author.

Introduction

Hi everyone this blog is going to be where I post my finding and developments in my career in computer science with a focus on cybersecurity as that’s the niche that I’m most interested in. This blog will cover everything to exploited vulnerabilities to threat actor trends in the industry. My experience is that I have a Security plus certification and a active cybersecurity engineering internship at barracuda networks where I have contributed to creating and updating detection rules and methods.

From the blog CS@Worcester – Aidan's Cybersection by Aidan Novia and used with permission of the author. All other rights reserved by the author.