Skip to content

Security vulnerabilities in CI workflow #79

Description

@ItsMeForLua

I noticed a few security issues in ci.yml that I feel may be worth concern.


Node.js 20 deprecation

n.b., This one is particularly time sensitive.
actions/checkout@v4 and actions/cache@v4 both run on the Node.js 20 runtime, which GitHub is force-migrating to Node.js 24 starting June 16th. After that date these will produce errors and eventually stop working entirely. Both need to be updated to @v5.


Actions pinned to mutable version tags (CWE-829, CWE-494)

uses: actions/checkout@v4
uses: actions/cache@v4

Version tags like @v4 are mutable, so, they can be secretly repointed to different commits at any time. Pinning to a full commit SHA should ensure the workflow actually executes exactly the code that was reviewed:

uses: actions/checkout@<SHA>
uses: actions/cache@<SHA>

Downloaded artifacts have no integrity verification CWE-494

Three downloads happen with no checksum verification:

# CCL binary with no SHA check
curl -o ccl.tar.gz ... 'https://github.com/Clozure/ccl/releases/download/v1.12/ccl-1.12-linuxx86.tar.gz'

# Quicklisp also with no SHA check
curl -o quicklisp.lisp 'https://beta.quicklisp.org/quicklisp.lisp'

If either upstream is compromised, arbitrary code runs in the CI environment. Adding a sha256sum -c check after each download should fix this:

echo "expected-sha256  ccl.tar.gz" | sha256sum -c
echo "expected-sha256  quicklisp.lisp" | sha256sum -c

Unpinned git clone of external repos CWE-829

git clone --recurse-submodules --depth 1 ... https://github.com/grpc/grpc
git clone https://github.com/qitab/cl-protobufs

Both clone the current HEAD of the default branch, meaning, the build silently changes whenever those repos receive new commits. Adding --branch <tag> and then checking out a specific commit hash would make these a bit more deterministic, which is also a concern regarding reproducibility of a CI/CD test.

ubuntu-latest is a mutable runner tag CWE-829

runs-on: ubuntu-latest

ubuntu-latest can be redirected by GitHub to a different Ubuntu version. ubuntu-24.04 pins to a known LTS release.


I can submit a PR as well if wanted. I need to update some my repos with similar fixes anyway.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions