Javascript: Query to detect GITHUB_TOKEN leaked in artifacts #17401
Conversation
|
QHelp previews: javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.qhelpStorage of sensitive information in GitHub Actions artifactSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published. RecommendationOnly store information that is meant to be publicly available in a GitHub Actions artifact. ExampleThe following example uses name: secrets-in-artifacts
on:
pull_request:
jobs:
a-job: # VULNERABLE
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: "Upload artifact"
uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
with:
name: file
path: .
The issue has been fixed below, where the name: secrets-in-artifacts
on:
pull_request:
jobs:
a-job: # NOT VULNERABLE
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: "Upload artifact"
uses: actions/upload-artifact@v4
with:
name: file
path: .
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Thanks @intrigus-lgtm, will do |
pwntester
changed the title
javascript/ql/src/change-notes/2024-09-06-new-actions-artifact-leak-query.md
Outdated
Show resolved
Hide resolved
…-leak-query.md Co-authored-by: Asger F <[email protected]>
|
I've started a DCA run, let's merge if that looks good. |
|
DCA run looks good, merging |
This query models the issue coined as ArtiPACKED where the
actions/checkoutaction stores the GITHUB_TOKEN into.git/configand then this directory gets included into an artifact.The latest version of
actions/upload-artifacthas been patched to prevent hidden files to be included into the artifact. This query reports those cases where users are both using an unpatched version ofactions/upload-artifactand also usingactions/checkoutin a way that persists credentials into.gitdirectory.