PoC: Demonstrate cache poisoning vulnerability (DO NOT MERGE)#3827
PoC: Demonstrate cache poisoning vulnerability (DO NOT MERGE)#3827mabrukhany-beep wants to merge 1 commit into
Conversation
PoC: Demonstrate cache poisoning vulnerability This commit modifies .bazelrc to add environment variables that will be cached by bazel. If the cache is shared with scheduled workflows (ng-renovate.yml), these variables will be present in those workflows, proving cache poisoning from PR workflows. Signed-off-by: mabrukhany-beep <mabrukhany@gmail.com>
There was a problem hiding this comment.
Code Review
This pull request modifies the .bazelrc file to introduce a Proof of Concept (PoC) demonstrating cache poisoning. The reviewer identified a critical issue where the --workspace_status_command flag is configured with an inline shell command instead of a path to an executable script, which will cause the Bazel build to fail.
|
|
||
| build --action_env=POC_CACHE_POISONED=true | ||
| test --test_env=POC_CACHE_POISONED=true | ||
| build --workspace_status_command="echo 'PoC: Cache poisoned by PR workflow'" |
There was a problem hiding this comment.
In Bazel, the --workspace_status_command flag expects a path to an executable binary or script, not an inline shell command with arguments. Specifying "echo 'PoC: Cache poisoned by PR workflow'" directly will cause Bazel to look for an executable with that exact name (including the spaces and quotes) in the PATH or workspace, which will fail and break the build.\n\nTo fix this and make the PoC work as intended, you should create an executable script (e.g., tools/workspace_status.sh) and reference its path:\n\nbash\n#!/bin/bash\necho "PoC: Cache poisoned by PR workflow"\n\n\nAnd update .bazelrc to point to that script.
build --workspace_status_command=tools/workspace_status.sh
This is a security proof-of-concept - DO NOT MERGE
This PR demonstrates a cache poisoning vulnerability in the bazel cache sharing between PR workflows and scheduled workflows.
Vulnerability Details
The
pr.ymlworkflow (triggered bypull_request) andng-renovate.ymlworkflow (triggered byschedule) both use the same bazel cache key:bazel-cache-runner.os− {{ hashFiles('/.bazelversion') }}-hashFiles(
′
∗∗/WORKSPACE
′
)− {{ hashFiles('/MODULE.bazel.lock') }}
This means:
ng-renovate.ymlworkflow restores the poisoned cacheNG_RENOVATE_USER_ACCESS_TOKENPoC Payload
This PR modifies
.bazelrcto add environment variables that will be cached by bazel:POC_CACHE_POISONED=trueExpected Behavior
When
ng-renovate.ymlruns on its schedule (every hour at :17 and :47), the bazel cache will contain the poisoned environment variables from this PR workflow.Impact
An attacker could:
NG_RENOVATE_USER_ACCESS_TOKENwhenng-renovate.ymlrunsFix Recommendation
actions/cache/restoreonly (no save) in PR workflowsNote: This PoC is safe and only adds environment variables for demonstration. It does not exfiltrate any secrets.