easymock/objenesis

Set permissions for GitHub actions

Closed this issue · 2 comments

joycebrum commented

Hi I am from Google and the OpenSSF to help open source projects to increase their supply chain security by using the OpenSSF Scorecard checks as a guide.

Description

I would like to suggest the use of scoped permissions on the GitHub workflows you have.

It is a known behavior of Github actions to always set all GITHUB_TOKEN permissions as write by default, which gives unnecessary power to the action that could be exploit if the workflow got compromised.

Since it is not always clear what permissions are being granted for a workflow, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped by using the permission command in the yml files.

Let me know if a PR is welcome with the changes described -- looking at the ci.yml, a top level contents: read will be enough.

Additional Content

Here are some threats vectors for each type of write permission granted:

  • statuses - May allow an attacker to change the result of pre-submit checks and get a PR merged.
  • checks - May allow an attacker to remove pre-submit checks and introduce a bug.
  • security-events - May allow an attacker to read vulnerability reports before a patch is available. Should only be granted to recognized actions for uploading SARIF results.
  • deployments - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized.
  • contents - Allows an attacker to commit unreviewed code. Should only be granted to recognized packaging actions or commands.
  • packages - Allows an attacker to publish packages. Should only be granted to recognized packaging actions or commands.
  • actions - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
joycebrum commented

Hi! This issue has been idle for quite some time. Do you plan on considering these changes? If so just let me know and I'll be happy to submit a PR. Otherwise I will wait up to 2 more months to close the issue. Let me know if you rather keep it open as "not planned" for later.
Thanks!

henri-tremblay commented

Sure. Please do.