Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential security issues in GitHub Actions workflows #29777

Open
jiangnanpro opened this issue Oct 30, 2024 · 3 comments
Open

Potential security issues in GitHub Actions workflows #29777

jiangnanpro opened this issue Oct 30, 2024 · 3 comments

Comments

@jiangnanpro
Copy link

jiangnanpro commented Oct 30, 2024

Potential security issues in GitHub Actions workflows

Hi! We are a research team from Radboud University in the Netherlands, currently working on security vulnerability analysis on GitHub Actions workflows. During our study, we found some potential issues in the workflow files of your repository and would like to bring them to your attention to help enhance security.

Detailed Findings:

Please find the detected potential security issues below:

Issues Analysis:

  • No job permissions specified
    This is a risk because you are not setting permissions key in your job to modify the default permissions granted to the GITHUB_TOKEN for this job, limiting access to only the minimum required level. We recommend adhering to the principle of least privilege by setting permissions key to declare only necessary permissions at both workflow and job levels. Check details.

Feedback Request:

We greatly appreciate your attention to this matter. If you are willing to provide feedback, please consider completing a brief anonymous survey (google form): Developer Perspectives on GitHub Actions workflow Security, which will take around 3 minutes. Your feedback is invaluable in helping us gain insights on how to improve the security of the GitHub ecosystem.

Thank you!

@Mugen87
Copy link
Collaborator

Mugen87 commented Oct 30, 2024

We have defined a security policy for the project like recommended by GitHub.

https://github.com/mrdoob/three.js/blob/dev/SECURITY.md

The policy states something fundamental in context of security issues:

If you have discovered a security vulnerability in this project, please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.

I don't understand why people constantly ignore security policies and report security related topics via public issues.

@jiangnanpro
Copy link
Author

Hi, thank you for your feedback! We only report vulnerabilities that are categorized as mild. In your case, the issue is related solely to the least privilege principle and does not pose any significant risk to your repository. I've removed the content of the detailed findings and will be more careful in the future.

@Mugen87
Copy link
Collaborator

Mugen87 commented Oct 30, 2024

Thanks! Please always use the contact information from the policy, no matter how severe the security issue is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants