Cybersecurity, GitHub Actions Token Leak
As of August 2024, there is a new attack vector on users of GitHub Actions combined with GitHub artifacts (release uploads), on public repositories. A large number of public repositories have been found to be vulnerable.
About
As of August 2024, there is a new attack vector on users of GitHub Actions combined with GitHub artifacts (release uploads), on public repositories. A large number of public repositories have been found to be vulnerable.
Users of GitHub artifacts on public repositories should follow the steps below to mitigate this risk. Failure to mitigate can allow a malicious actor to upload a malicious replacement release package to the repository.
Teams concerned that their repositories may be affected can reach out to securitysupport@illinois.edu for a quick consultation with Cybersecurity Development.
Immediate Action Steps
- Take care anytime creating an artifact, such as a
.tar
or.zip
for theRelease
area, to only include the intended contents - Update any use of the
super-linter
GitHub action, on a public repository, to version 7.0.0 or higher - Update any use of
microsoft/typescript-bot-test-triggerer
to the latest revision - Do not upload the root of a
git clone
, since.git
can contain sensitive authentication tokens - Ensure that
security advisories
,dependabot alerts
andsecret scanning alerts
are all enabled on all GitHub repositories, private and public
Additional Mitigations
- Like any software dependency, references to any other pre-made GitHub actions should be regularly updated to stay up to date and avoid leaving vulnerabilities open
- Be cautious when logging debug output into a GitHub Action run on a public repository
- Keep all token permissions as limited as possible, to reduce harm caused when one leaks
- Remember that a replaced artifact can cause harm to downstream projects and systems, as well as directly to end users
- For appropriate use cases, it is possible to Restrict access to your GitHub Organization by IP