Skip to content

fix: prevent pwn-request RCE via Qodana workflow#3217

Open
dennisdoomen wants to merge 2 commits into
mainfrom
dennisdoomen/fix-pwn-request-workflow
Open

fix: prevent pwn-request RCE via Qodana workflow#3217
dennisdoomen wants to merge 2 commits into
mainfrom
dennisdoomen/fix-pwn-request-workflow

Conversation

@dennisdoomen

Copy link
Copy Markdown
Member

Security vulnerability fixed

The problem

.github/workflows/code_quality.yml used pull_request_target (which runs on the base repo with access to repository secrets) together with actions/checkout using ref: github.event.pull_request.head.sha, which checks out untrusted contributor code in a privileged context. Because QODANA_TOKEN is injected via env:, any PR from an external contributor could exfiltrate or abuse it — a classic pwn request RCE pattern.

The fix: two-workflow pattern

The single vulnerable workflow is replaced with three:

File Trigger Secrets? Runs contributor code?
code_quality.yml push to main/develop, workflow_dispatch Yes No (trusted)
code_quality_pr.yml pull_request No Yes (safe — no secrets)
code_quality_upload.yml workflow_run (after PR analysis) Yes No

Workflow 1 (code_quality.yml) — unchanged behaviour for branch pushes and manual triggers. Checks out trusted code and uploads results to Qodana Cloud with QODANA_TOKEN.

Workflow 2 (code_quality_pr.yml) — triggered by pull_request (not pull_request_target). Runs with contributor code but has no access to secrets. Runs Qodana with upload-result: false, then saves the results directory and the PR number as a GitHub Actions artifact.

Workflow 3 (code_quality_upload.yml) — triggered by workflow_run on completion of Workflow 2. Always runs on the default branch, so QODANA_TOKEN is available. Never checks out any PR code. Downloads the artifact and uploads results to Qodana Cloud via qodana send.

References

dennisdoomen and others added 2 commits July 2, 2022 18:31
The previous code_quality.yml combined pull_request_target (which runs
with base-repo secrets) with actions/checkout using
ref: github.event.pull_request.head.sha (which checks out untrusted
contributor code). This is the classic 'pwn request' pattern: any external
contributor could submit a PR that executes arbitrary code with access to
QODANA_TOKEN.

Fix: implement the two-workflow safe pattern.

1. code_quality.yml (push / workflow_dispatch only)
   - Handles pushes to main and develop, plus manual triggers.
   - Checks out trusted code and uploads results with QODANA_TOKEN as before.

2. code_quality_pr.yml (pull_request - no secrets)
   - Triggered by pull_request (NOT pull_request_target), so the job
     runs with contributor code but has NO access to repository secrets.
   - Runs Qodana analysis with upload-result: false.
   - Saves results and PR number as a workflow artifact.

3. code_quality_upload.yml (workflow_run - secrets, no code checkout)
   - Triggered when Qodana (PR) completes on the default branch,
     so QODANA_TOKEN is available and no contributor code is ever executed.
   - Downloads the artifact and uploads results to Qodana Cloud via the
     Qodana CLI send command.

References:
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- https://www.jetbrains.com/help/qodana/github.html

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Qodana for .NET

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Detected 86 dependencies

Third-party software list

This page lists the third-party software dependencies used in FluentAssertions

Dependency Version Licenses
MSTest.TestAdapter 2.2.9 MIT
MSTest.TestFramework 2.2.9 MIT
Microsoft.NET.Test.Sdk 16.11.0 MS-NET-LIBRARY-2019-06
Microsoft.NETCore.Platforms 2.1.0 MIT
Microsoft.NETCore.Targets 1.1.0 MIT
Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
Microsoft.Net.Native.Compiler 2.2.11-rel-30601-02 MS-NET-LIBRARY-2018-11
Microsoft.Net.UWPCoreRuntimeSdk 2.2.13 MS-NET-LIBRARY-2018-11
Newtonsoft.Json 9.0.1 MIT
System.Buffers 4.3.0 MIT
System.Collections 4.3.0 MIT
System.ComponentModel.Primitives 4.1.0 MIT
System.ComponentModel.TypeConverter 4.1.0 MIT
System.Diagnostics.Debug 4.3.0 MIT
System.Globalization 4.3.0 MIT
System.IO.FileSystem.Primitives 4.3.0 MIT
System.IO.FileSystem 4.3.0 MIT
System.IO 4.3.0 MIT
System.ObjectModel 4.3.0 MIT
System.Private.Uri 4.3.0 MIT
System.Reflection.Primitives 4.3.0 MIT
System.Reflection 4.3.0 MIT
System.Resources.ResourceManager 4.3.0 MIT
System.Runtime.Extensions 4.3.0 MIT
System.Runtime.Handles 4.3.0 MIT
System.Runtime.InteropServices.RuntimeInformation 4.0.0 MIT
System.Runtime.InteropServices 4.3.0 MIT
System.Runtime.WindowsRuntime 4.3.0 MIT
System.Runtime 4.3.0 MIT
System.Text.Encoding.Extensions 4.3.0 MIT
System.Text.Encoding 4.3.0 MIT
System.Text.RegularExpressions 4.3.0 MIT
System.Threading.Overlapped 4.3.0 MIT
System.Threading.Tasks.Extensions 4.3.0 MIT
System.Threading.Tasks 4.3.0 MIT
System.Threading 4.3.0 MIT
System.Xml.ReaderWriter 4.3.0 MIT
System.Xml.XPath.XmlDocument 4.3.0 MIT
System.Xml.XPath 4.3.0 MIT
System.Xml.XmlDocument 4.3.0 MIT
runtime.any.System.Collections 4.3.0 MIT
runtime.any.System.Globalization 4.3.0 MIT
runtime.any.System.IO 4.3.0 MIT
runtime.any.System.Reflection.Primitives 4.3.0 MIT
runtime.any.System.Reflection 4.3.0 MIT
runtime.any.System.Resources.ResourceManager 4.3.0 MIT
runtime.any.System.Runtime.Handles 4.3.0 MIT
runtime.any.System.Runtime.InteropServices 4.3.0 MIT
runtime.any.System.Runtime 4.3.0 MIT
runtime.any.System.Text.Encoding.Extensions 4.3.0 MIT
runtime.any.System.Text.Encoding 4.3.0 MIT
runtime.any.System.Threading.Tasks 4.3.0 MIT
runtime.aot.System.Collections 4.3.0 MIT
runtime.aot.System.Globalization 4.3.0 MIT
runtime.aot.System.IO 4.3.0 MIT
runtime.aot.System.Reflection.Primitives 4.3.0 MIT
runtime.aot.System.Reflection 4.3.0 MIT
runtime.aot.System.Resources.ResourceManager 4.3.0 MIT
runtime.aot.System.Runtime.Handles 4.3.0 MIT
runtime.aot.System.Runtime.InteropServices 4.3.0 MIT
runtime.aot.System.Runtime 4.3.0 MIT
runtime.aot.System.Text.Encoding.Extensions 4.3.0 MIT
runtime.aot.System.Text.Encoding 4.3.0 MIT
runtime.aot.System.Threading.Tasks 4.3.0 MIT
runtime.win.System.Diagnostics.Debug 4.3.0 MIT
runtime.win.System.IO.FileSystem 4.3.0 MIT
runtime.win.System.Runtime.Extensions 4.3.0 MIT
runtime.win10-arm-aot.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-arm.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-arm.Microsoft.Net.Native.Compiler 2.2.11-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-arm.Microsoft.Net.Native.SharedLibrary 2.2.8-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-arm.Microsoft.Net.UWPCoreRuntimeSdk 2.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-arm64-aot.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-arm64.Microsoft.Net.Native.Compiler 2.2.11-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-arm64.Microsoft.Net.Native.SharedLibrary 2.2.8-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-x64-aot.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-x64.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-x64.Microsoft.Net.Native.Compiler 2.2.11-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-x64.Microsoft.Net.Native.SharedLibrary 2.2.8-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-x64.Microsoft.Net.UWPCoreRuntimeSdk 2.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-x86-aot.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-x86.Microsoft.NETCore.UniversalWindowsPlatform 6.2.13 MS-NET-LIBRARY-2018-11
runtime.win10-x86.Microsoft.Net.Native.Compiler 2.2.11-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-x86.Microsoft.Net.Native.SharedLibrary 2.2.8-rel-30601-02 MS-NET-LIBRARY-2018-11
runtime.win10-x86.Microsoft.Net.UWPCoreRuntimeSdk 2.2.13 MS-NET-LIBRARY-2018-11
runtime.win7.System.Private.Uri 4.3.0 MIT
Contact Qodana team

Contact us at qodana-support@jetbrains.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant