Supply chain attacks are not something new; we have heard about them extensively, and the maximum we can do is mitigate them as best as we can. However, it is crucial to acknowledge that these types of attacks will always exist. With that in mind, it is important to understand all the attack vectors and take the necessary steps to secure your environment.
One of the initiatives planned by the Node.js Security WG (Working Group) for 2023 is to enhance the OSSF Scorecard. This task requires changing all Node.js actions to be pinned by commit-hash. The reason for this approach is quite simple: commit-hash provides immutability, unlike tags which do not.
For instance, it is quite common to include the following action as part of your application’s CI pipeline:
Many developers rely on tools like Dependabot or Renovatebot to ensure that these actions stay up-to-date. However, using the release tag can pose a risk to your environment.
Let’s consider a scenario where a malicious actor gains control over the
actions/checkout package. This compromised package can now potentially manipulate the entire CI process. It can access environment variables used by other jobs, write to a shared directory that subsequent jobs process, make remote calls, inject malicious code into the production binary, and perform other malicious activities
What many developers assume is that once they pin an action using a release tag, such as v3.5.2, they are safe because any new changes would require a new release. However, this assumption is fundamentally incorrect. Release tags are mutable , and a malicious actor can override them. To illustrate this point, I have created two repositories for educational purposes:
.github/workflows/main.yml file of the latter repository, the
bad-action is being used in version v1.0.1:
For this practical example,
workflow_dispatch will be used, but the same applies to
on: [push, pull_request] processes and so on.
As a result, when the action is executed, it prints “Hello world” in the console.
Now, let’s consider the scenario where a bad actor takes over the repository and modifies the “Hello world” message to “Hello darkness my old friend” without creating a new release. Instead, the actor overrides the existing v1.0.1 release using the following commands:
Consequently, if the action is executed again without any changes made to the source code, it will print “Hello darkness my old friend”. This demonstrates how your environment can be exploited by manipulating release tags.
Pinning an action to a full-length commit SHA is currently the only method to ensure the use of an action as an immutable release.
Quoting the OSSF Scorecard:
With that in mind, fixing or securing the action is a straightforward process:
There are open-source tools like StepSecurity that can assist you in addressing these concerns. It generates automated pull requests for your codebase based on the configuration specified on their website.
It’s also worth mentioning that the assessment of the OSSF Scorecard in the Node.js project is an initiative of the Node.js Security WG . If you are interested in learning more or contributing, feel free to join our meetings.