Follow

I caught someone using a pull request against one of my GitHub repositories to trigger crypto-currency mining via a GitHub action. I took a snapshot of it with archive-web-page here after reporting it to GitHub:

inkdroid.org/web-archives/gith

It seems like this is a thing now: bleepingcomputer.com/news/secu The only way to turn it off is to only run actions that are defined by the repository?

FWIW I'm glad I took a snapshot of the pull request pages with archiveweb.page because GitHub have deleted the PR, so it's like it never existed.

Another "user" started doing this too, so I guess my whitelisting of allowed actions wasn't enough to block the shell commands in the action. I'll just have to disable actions altogether for the moment.

GitHub have since added a form option for cryptocurrency mining when reporting abuse:

@edsu Bitcoin will save the world from the central banks 🙄

@edsu I've been using builds.sr.ht lately and they're going paid-only for the builds service (although they will give you a waiver if you can't afford it) because of this. It's a constant cat-and-mouse game trying to keep on top of the new miners trying to squeeze a few seconds of free CPU time out of anyone and everyone.

@edsu Although also: allowing the actions to be changed by a PR seems like a problem in general; I don't get why services do this. Like maybe CI changes should only be triggered if someone with the commit bit marks the manifest as trusted or something.

@sam @edsu We saw this on our PR a couple days ago, someone tagged the PR with "non-whitelisted builds" or something to let the CI system take a crack at it.

@sam yes, I think whitelisting should be the default instead of leaving it wide open. But still, why are the actions being run when someone submits a PR? I naively thought Actions were only triggered by commits on the git repository.

@edsu They're often used for CI so you want to check that tests and what not pass on PRs before merging them.

@sam ah yes ... w/ Travis there was an option for controlling that wasn't there?

@edsu I don't know, I don't use either Travis or GitHub actions, but I suspect it's a script and you could check the branch name and exit if you only want to run deploys on the default branch or something.

@sam now I'm kind of worried that someone could issue a PR for a new GitHub action that runs, gets the job's secret environment variables and sends them off somewhere else. GitHub must have thought about that already?

@edsu I know builds.sr.ht doesn't allow secrets in builds that are triggered externally or where the manifest has been modified, but I don't know about GitHub actions. I would assume they would have thought of this, but it's probably not a good idea to make that assumption if you're using them :)

@sam maybe this is the kick in the pants I needed to get off of github.

@edsu Glad I could be of service :) I've been looking for alternatives myself but haven't really found anything that suits my needs for various reasons sadly (although GitHub never really did either, but if I'm going to do work to move the alternative better be at least slightly better to justify the effort).

@sam but it sounds like you've been giving sourcehut.org a try? I've bookmarked codeberg, notabug, gitlab and thought about running a gitea ... but haven't done anything yet probably just because of the number of things I'll need to move.

Have you looked at git.coop at all?

@sam maybe I could start by just moving a few things different places and see what I like -- it is super nice that git is a lingua franca of sorts.

@edsu I hope you find something you like; I'll be really curious to hear what you decide!

@edsu As much as I'd love to support co-ops I *hate* GitLab. It's a mess of confusing options, it's slow, and it tries to do everything under the sun (which means it does nothing well). Gittea is a bit nicer IMO, but as far as I know there's no hosted CI that supports it and (like GitLab) it just imitates all the bad parts of GitHub. SourceHut is the best I've found so far, but some of the authors actions make me very nervous that there will be major changes before a stable release.

@sam I guess since it's a co-op it could eventually move to some other software for managing the the repos and stay intact?

I agree that gitlab is difficult to navigate, and brought too much baggage from github. I've used it for gitlab.com/pymarc/pymarc and it has been ok once I settled in.

@edsu why would you ever run any actions you don't define in your repo??

@meena they have a marketplace of actions that you can pull from which is nice in principle (building electron apps, announcing builds in Slack, etc). But I guess in practice this is hard. It seems like different Actions should need to be approved, rather than the default being to allow anyone? I guess this is what happens when Microsoft buys your company.

@edsu glad to see that Microsoft is making github as secure as their other products

@edsu so does that vulnerability go all the way back to the launch of Actions? or was it related to some changes more recently

@redoak yes, I think it does ... that people could steal compute cycles from github by committing custom actions and submitting PRs for them. I think it got noticed recently because of the scale & impact of the attacks.

I just hope that these cretins weren't using it to steal secret configuration variables too.

@edsu i will never understand how companies with such resources release features with boneheaded vulnerabilities like "any old person can run whatever code against your repo, at our expense but maybe also yours"

@emma it really is. But I guess the accumulation of money by the few, and the scarcity of it for the many has always been a scam? I think I sometimes dismiss all the fintech/blockchain stuff because it is so obviously a sham, but it is getting picked up and used by the privileged and already powerful to consolidate their positions. So I think it's important to understand and take apart.

@edsu

Definitely. The system we live in was a scam even before someone came up with "proof of work."

@edsu how very surprising... allowing arbitrary code execution from some random internet person without a manual trigger is a bad idea.

Go figure

@edsu We only trigger actions when a project member approves (on bazelbuild/bazel), but I have no idea how that's set up, because I don't do any GitHub admin. But it is apparently a thing that can be done!

Sign in to participate in the conversation
social.coop

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!