I guess it's somewhat known that you can trivially fake a repo w/a fork like this but it still feels like a bigger security risk than the "this commit comes from another repository" banner gives it credit for:
I guess it's somewhat known that you can trivially fake a repo w/a fork like this but it still feels like a bigger security risk than the "this commit comes from another repository" banner gives it credit for:
Yes, this has been an issue for so long and GitHub just doesn't care enough to fix it.
There's another way it can be exploited. It's very common to pin Actions in workflows these days by their commit hash like this:
But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.GitHub just doesn't care about security. Actions is a security disaster and has been for over a decade. They would rather spend years migrating to Azure for no reason and have multiple outages a week than do anything anybody cares about.
> But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.
Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store?
Needs to be a fork.
Related: https://trufflesecurity.com/blog/anyone-can-access-deleted-a...
yikes.. there should be the cli equivalent of that warning banner at the very least. combine this with something like gitc0ffee and it's downright dangerous
Yeah the way Github connects forks behind the scenes has created so many gotchas like this, I'm sure it's a nightmare to fix at this point but they definitely hold some responsibility here.