fix(security): harden pull_request_target workflows against fork RCE [MSRC-111178]

[imran-siddique]

Defense-in-depth hardening for all 6 AI agent workflows using pull_request_target.

Changes across 6 workflow files:

• Explicit ref: base.sha on all 8 checkout steps (was implicit default)
• persist-credentials: false on all checkouts
• Fork safety check step on all PR-triggered jobs
• Shallow clone (fetch-depth: 1) where full history not needed
• Security header comments referencing MSRC case

The core vulnerability (ref: head.sha checkout enabling fork RCE) was already removed in PR #303. These changes add defense-in-depth per MSRC requirements.

Ref: MSRC Case 111178

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This pull request addresses a critical security vulnerability related to the use of pull_request_target workflows in GitHub Actions. The changes implement defense-in-depth measures to mitigate potential remote code execution (RCE) risks from malicious fork PRs. The updates are well-documented and align with best practices for securing CI/CD pipelines.

Feedback

🔴 CRITICAL

1. Fork Safety Check Logic:

   • The fork safety check (github.event.pull_request.head.repo.full_name != github.repository) is a good addition, but it does not prevent execution of malicious code if a fork PR modifies the .github/actions/ directory in the base branch. While the ref: ${{ github.event.pull_request.base.sha }} mitigates this risk, ensure that composite actions themselves are hardened against arbitrary code execution. Consider adding a validation step to verify the integrity of composite actions (e.g., checksum validation).

2. Persist Credentials:

   • Setting persist-credentials: false is critical to prevent unauthorized access to the GITHUB_TOKEN. However, ensure that all subsequent steps in the workflow do not inadvertently re-enable credentials or rely on them for sensitive operations.

🟡 WARNING

1. Backward Compatibility:
   • The change from implicit default ref (HEAD) to explicit BASE (github.event.pull_request.base.sha) may alter the behavior of workflows that previously relied on the PR head for dynamic analysis. For example, workflows analyzing changes introduced in the PR may need adjustments to fetch the diff explicitly via the GitHub API. Ensure that downstream tools or scripts are compatible with this change.

💡 SUGGESTION

1. Shallow Clone (fetch-depth: 1):

   • While shallow clones improve performance, they may limit debugging capabilities in workflows that require full commit history. Consider documenting this trade-off in the workflow comments or providing an option to override fetch-depth for debugging purposes.

2. Security Header Comments:

   • The security header comments referencing MSRC Case 111178 are helpful for context. Consider adding a link to the MSRC documentation or a summary of the vulnerability for future maintainers who may not have direct access to the case details.

3. Workflow Reusability:

   • The fork safety check and other security measures are repeated across multiple workflows. Consider abstracting these steps into a reusable composite action to reduce duplication and ensure consistency across workflows.

4. Testing:

   • Ensure that these changes are tested against various scenarios, including fork PRs, base branch modifications, and workflows requiring full commit history. Automated tests for CI/CD workflows can help validate these scenarios.

5. Documentation Update:

   • Update the repository's documentation to reflect these security changes, especially for contributors who may rely on pull_request_target workflows for testing their PRs.

Action Items

1. Harden composite actions against arbitrary code execution (e.g., checksum validation).
2. Verify compatibility of downstream tools/scripts with the explicit BASE ref.
3. Abstract repeated security steps into a reusable composite action.
4. Test workflows against edge cases and document the changes.

Conclusion

The changes in this pull request significantly improve the security posture of the repository's CI/CD workflows. Address the critical and warning items to ensure comprehensive mitigation of RCE risks and maintain backward compatibility. The suggestions provided will further enhance maintainability and usability.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of Pull Request: Hardening `pull_request_target` Workflows

Security Review of Pull Request: Hardening pull_request_target Workflows

This pull request addresses a critical security vulnerability (MSRC-111178) related to the use of pull_request_target workflows in GitHub Actions. The changes aim to mitigate the risk of remote code execution (RCE) by ensuring that workflows triggered by forked pull requests do not inadvertently execute malicious code. Below is a detailed security review of the changes.

---

Findings

1. Prompt Injection Defense Bypass

• Assessment: Not applicable. This PR does not involve changes to prompt handling or AI agent logic.
• Rating: 🔵 LOW

2. Policy Engine Circumvention

• Assessment: The changes ensure that workflows triggered by pull_request_target use the base.sha for checkouts instead of the head.sha. This prevents malicious code in forked pull requests from modifying workflow behavior or bypassing security policies. The addition of fork safety checks further ensures that workflows are aware of their execution context.
• Rating: 🔵 LOW (No circumvention detected)

3. Trust Chain Weaknesses

• Assessment: The explicit use of base.sha for checkouts ensures that only trusted code from the base branch is executed. The persist-credentials: false setting prevents the accidental exposure of repository credentials to forked repositories. These measures strengthen the trust chain.
• Rating: 🔵 LOW (No weaknesses detected)

4. Credential Exposure

• Assessment: The persist-credentials: false setting ensures that the GITHUB_TOKEN is not exposed to forked repositories. This is a critical improvement, as it prevents malicious actors from using the token to escalate privileges or access sensitive resources.
• Rating: 🔵 LOW (No exposure detected)

5. Sandbox Escape

• Assessment: The changes do not introduce or modify any sandboxing mechanisms. The use of base.sha ensures that only trusted code is executed, reducing the risk of sandbox escape.
• Rating: 🔵 LOW (No sandbox escape vectors detected)

6. Deserialization Attacks

• Assessment: Not applicable. This PR does not involve deserialization logic.
• Rating: 🔵 LOW

7. Race Conditions

• Assessment: The explicit use of base.sha eliminates potential time-of-check-to-time-of-use (TOCTOU) vulnerabilities where the head.sha could be modified after the workflow is triggered. This ensures that the code being executed is consistent and trusted.
• Rating: 🔵 LOW (No race conditions detected)

8. Supply Chain

• Assessment: The workflows now explicitly reference a specific commit (11bd71901bbe5b1630ceea73d27597364c9af683) of the actions/checkout action. This prevents dependency confusion or typosquatting attacks by ensuring that a known-good version of the action is used.
• Rating: 🔵 LOW (No supply chain risks detected)

---

Recommendations

1. Testing and Validation:

   • Ensure that all workflows are thoroughly tested to confirm that the changes do not inadvertently break functionality.
   • Validate that the fork safety checks and base.sha references work as intended in various scenarios, including forked and non-forked pull requests.

2. Documentation:

   • Update the repository's security documentation to reflect these changes and explain the rationale behind them. This will help maintainers and contributors understand the importance of these measures.

3. Ongoing Monitoring:

   • Regularly review the workflows for potential new vulnerabilities, especially as GitHub Actions evolves and new features or security concerns emerge.

---

Conclusion

The changes in this pull request are well-implemented and address the critical vulnerability described in MSRC-111178. By using base.sha for checkouts, disabling credential persistence, and adding fork safety checks, the workflows are significantly hardened against RCE attacks from malicious forked pull requests.

Overall Rating: 🔵 LOW
No security issues were identified in this pull request. The changes are a positive step toward improving the security posture of the repository.