GitHub Actions checkspelling community workflow GitHub_TOKEN leakage via symlink

I don&#x27;t know why it hasn&#x27;t occurred to me as a problem before, but branches&#x2F;PRs can also modify the workflow, and their build runs the new modified workflow... I must be missing something, because that seems to make it way worse, forget symlinks and project-specific vulns, just print the env? Has modifying the workflow on a &#x27;PR branch&#x27; only worked for me because I&#x27;ve been the repo owner perhaps?<p>Edit to add: I think what I&#x27;m missing (haven&#x27;t fully understood yet, just thought should share) is the importance here of the &#x27;pull_request_target&#x27; event type used. The docs carry a warning:<p>&gt; Warning: The pull_request_target event is granted a read&#x2F;write repository token and can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch, and to help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see &quot;Keeping your GitHub Actions and workflows secure: Preventing pwn requests&quot; on the GitHub Security Lab website.<p><a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;actions&#x2F;reference&#x2F;events-that-trigger-workflows#pull_request_target" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;actions&#x2F;reference&#x2F;events-that-tri...</a>

The more I&#x27;ve used Actions, the more I have come to two conclusions:<p>1) It&#x27;s generally better to just do things with legacy tooling and your own scripts, than it is to pull in community actions<p>2) GitHub <i>badly</i> needs to implement tightly scoped tokens. GITHUB_TOKEN has a completely fixed and unmodifiable scope, and if you need to give a workflow an OAuth token to perform some other operation, your <i>only</i> choice is to give it a full read-write token for all of the repositories the token&#x27;s user can access. You can&#x27;t even scope a token to a single repo, let alone make one that&#x27;s read-only, or limited to, say, commenting.

I was under the impression that the default temporary GITHUB_TOKEN for forked repos (which is what happens with PRs) were read-only. Isn&#x27;t that the case?<p><a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;actions&#x2F;reference&#x2F;authentication-in-a-workflow#permissions-for-the-github_token" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;actions&#x2F;reference&#x2F;authentication-...</a>

This is super interesting; we had a fairly long discussion about whether or not to add this action to cert-manager[1], and ended up rejecting it in part because it increased the risk of supply-chain attacks and that risk wasn&#x27;t, in our opinion, outweighed by the potential benefit of catching more spelling mistakes.[2]<p>For me, I think there&#x27;s a wider point here that GitHub Actions are pretty scary in terms of these kinds of attacks. Pre-packaged actions are easy to add to a project but come with risks, as this security advisory shows! There are a few aspects to Actions which made me a little uneasy in terms of my threat models when building software, and personally I&#x27;ve tended to avoid them.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;jetstack&#x2F;cert-manager" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jetstack&#x2F;cert-manager</a> (Full disclosure, I&#x27;m part of the team paid by Jetstack to work on the cert-manager project)<p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;jetstack&#x2F;cert-manager&#x2F;pull&#x2F;3863#issuecomment-872375017" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jetstack&#x2F;cert-manager&#x2F;pull&#x2F;3863#issuecomm...</a>

It feels kind of absurd to me that symlinks like this work by default in workflows, if at all. The symlink being able to point outside of the source tree is even worse. Github should be scrubbing anything like this from PRs at a minimum. The only use cases for this stuff I can think of are either absurdly low-quality code (a security risk you absolutely don&#x27;t want to accept), or attacks.

I&#x27;ve always been a bit vary of running stuff automatically on PRs from untrusted persons. How easy is it to exploit? If my repo always runs all tests on a PR, could someone just add a PR with a new test that is then run? Thus running their arbitrary code.

Do spelling checks like this one provide valuable feedback for anyone?<p>I always found they required constant configuration to handle regional language and false positives on valid programming terms.

&gt; Importantly, you must do this for every open branch in your repo. It is not enough to do so for only your default branch since a malicious PR can target any of your open branches. That is, if you have an open branch that uses a vulnerable version of check-spelling then a malicious PR targeting that branch can leak a GITHUB_TOKEN which can then be used to impact any of your branches, including your default branch.<p>I think this is a big design flaw in GitHub Actions. Whenever there is a security patch, you have to make sure to apply them in every branch. This includes all the historical branches and stale branches which the repo owners forget to delete.

Note -- if you&#x27;re running Github Actions on your local machine, run it in a VM. You can use something like multipass[0] which is pretty light (Ubuntu is heavy of course, but is the expected OS of most setup documentation).<p>While working on a project of mine that runs runners (Github, GitLab and others), how to safely run other people&#x27;s random workloads and <i>not</i> become a botnet&#x2F;crypto miner was basically the only hard technical challenge. GitLab is farther ahead in terms of runner sophistication (and also options available to you when self hosting) by a long shot.<p>[0]: <a href="https:&#x2F;&#x2F;multipass.run&#x2F;docs" rel="nofollow">https:&#x2F;&#x2F;multipass.run&#x2F;docs</a>

So, I get really confused by Github permissions model; I know that sometimes I am forced to give something access to <i>all</i> of my repos when I really only want it to act on one.<p>Does this affect the leaked GITHUB_TOKEN, what would that token give a posessor access to, what&#x27;s the scope? Just one repo, or many?<p>If the token gives access to, say, every repo that the user who authorized it has access to, this makes the scope of any vulnerability even worse. And vulnerabilities, like bugs, will always happen.<p>I&#x27;ve been wondering for a while how github gets away with such poor scoping of it&#x27;s auth without more outcry&#x2F;demand. And figured that maybe it would take an exersized vulnerability to bring attention to it.

Probably this info is reflected somewhere in the document (my bad), but is there any specific insight that we can learn for the code we write to avoid similar issues?