Unsecured Commands
- Query id: 60fd272d-15f4-4d8f-afe4-77d9c6cc0453
- Query name: Unsecured Commands
- Platform: CICD
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: Vulnerable workflow
on:
pull_request_target
env:
# 1. Enable unsecure commands
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
ENVIRONMENT_NAME: prod
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# 2. Print github context
- run: |
print("""${{ toJSON(github) }}""")
shell: python
- name: Create new PR deployment
uses: actions/github-script@v5
with:
# 3. Create deployment
script: |
return await github.rest.repos.createDeployment({
...context.repo,
ref: context.payload.pull_request.head.sha,
auto_merge: false,
required_contexts: [],
environment: "${{ env.ENVIRONMENT_NAME }}",
transient_environment: false,
production_environment: false,
});
github-token: ${{ secrets.GITHUB_TOKEN }}
Positive test num. 2 - yaml file
name: Vulnerable workflow
on:
pull_request_target
jobs:
deploy:
runs-on: ubuntu-latest
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
steps:
# 2. Print github context
- run: |
print("""${{ toJSON(github) }}""")
shell: python
- name: Create new PR deployment
uses: actions/github-script@v5
with:
# 3. Create deployment
script: |
return await github.rest.repos.createDeployment({
...context.repo,
ref: context.payload.pull_request.head.sha,
auto_merge: false,
required_contexts: [],
environment: "${{ env.ENVIRONMENT_NAME }}",
transient_environment: false,
production_environment: false,
});
github-token: ${{ secrets.GITHUB_TOKEN }}
Positive test num. 3 - yaml file
name: Vulnerable workflow
on:
pull_request_target
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# 2. Print github context
- run: |
print("""${{ toJSON(github) }}""")
shell: python
- name: Create new PR deployment
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
uses: actions/github-script@v5
with:
# 3. Create deployment
script: |
return await github.rest.repos.createDeployment({
...context.repo,
ref: context.payload.pull_request.head.sha,
auto_merge: false,
required_contexts: [],
environment: "${{ env.ENVIRONMENT_NAME }}",
transient_environment: false,
production_environment: false,
});
github-token: ${{ secrets.GITHUB_TOKEN }}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: test-positive
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- master
jobs:
test-positive:
runs-on: ubuntu-latest
steps:
- name: PR comment
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
comment_tag: title_check
mode: recreate
create_if_not_exists: true