When browsing GitHub projects, you see GitHub Actions everywhere. They’ve become the de-facto standard for Continuous Integration/Continuous Deployment (CI/CD) on GitHub, the world’s largest software development platform. With a simple YAML file, developers get a lot of flexibility and can build, test, and deploy their projects. But GitHub Actions go beyond that, allowing them to build automation for pull requests, issues, and other parts of their repositories.
However, this flexibility can also open the door for attacks. GitHub Actions can operate on pull requests from external users, or process issues created by external collaborators. This means they have to handle data from these events with care, as they otherwise risk letting attackers gain write access to their repository, steal deployment secrets, and more. While researching the workflows of popular GitHub repositories, we discovered new bug patterns, such as Zombie Workflows that allowed exploiting seemingly fixed vulnerabilities.
In this talk, we will first provide a brief introduction to GitHub Actions, their threat model, and what basic vulnerabilities look like. We then jump into details of real vulnerabilities we found, starting with Zombie Workflows. We will then dive into more “Horror Stories” with real-world examples of how attackers could have been able to take over repositories and steal production secrets. We will close the session with some thoughts on defense and key takeaways.
