[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions #24
Description
When running the runner with
$ docker run --rm \
--name github-runner \
-e GITHUB_OWNER=5nafu \
-e GITHUB_REPOSITORY=sanderKnape_github-runner_env_exposure
-e GITHUB_PAT=<TOKEN> \
-e RUNNER_LABELS=comma,separated,labels \
-e ARBITRARY_ENV=value \
sanderknape/github-runnerall environment variables supplied to the runner are exposed to the github actions. This includes (but is not limited) to the personal access token used to register a runner:
An attacker could use a malicious action to leak the tokens and thus gain access to the code.
Action:
name: Go
on:
- push
jobs:
debug:
name: Output Debug
runs-on: self-hosted
steps:
- name: Output simple environment
run: >
echo GITHUB_PAT: $GITHUB_PATLogs:
2021-05-12T13:41:32.5870992Z ##[group]Run echo GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV
2021-05-12T13:41:32.5872899Z �[36;1mecho GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV�[0m
2021-05-12T13:41:32.5884176Z shell: /bin/bash -e {0}
2021-05-12T13:41:32.5884735Z ##[endgroup]
2021-05-12T13:41:32.5941776Z GITHUB_OWNER: 5nafu echo GITHUB_REPOSITORY: 5nafu/sanderKnape_github-runner_env_exposure echo GITHUB_PAT: *** echo RUNNER_LABELS: comma,separated,labels echo ARBITRARY_ENV: value
You can check the action in 5nafu/sanderKnape_github-runner_env_exposure:.github/workflows/debug.yml and the output in /5nafu/sanderKnape_github-runner_env_exposure/actions/runs/835647428