-
Notifications
You must be signed in to change notification settings - Fork 10
/
security.html.jinja2
114 lines (103 loc) · 6.46 KB
/
security.html.jinja2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
{% extends "frame.html.jinja2" %}
{% block head %}
<title>autofix.ci: security</title>
{% endblock %}
{% block body %}
<main class="container">
<div class="row justify-content-center">
<div class="col-12 col-lg-6">
<h1>Security</h1>
<p>
For autofix.ci to work, you need to provide autofix.ci's GitHub App with read/write permissions
for your repository. Many maintainers are rightfully hesistant to provide such permissions to
third parties. We are taking this responsibility very seriously, and have designed
autofix.ci with security in mind from the start:
</p>
<ol>
<li>
autofix.ci has a well-defined threat model in which GitHub Actions runners are treated as
completely untrusted and potentially compromised. The autofix.ci API only enables the workflow
to update the current pull request once.
</li>
<li>
autofix.ci minimizes untrusted input and data processing where possible. For example,
instead of using <samp>git checkout/apply/push</samp>, we have decided to use
GitHub's GraphQL API. This makes it much harder to port autofix.ci to other platforms,
but means we only need to process a
<a href="https://docs.github.com/en/graphql/reference/input-objects#filechanges">simple JSON
data structure</a>
instead of applying git commands on untrusted repositories (see e.g.
<a href="https://access.redhat.com/security/cve/cve-2021-21300">CVE-2021-21300</a>).
</li>
<li>
autofix.ci's hosted service is written in a memory-safe language that emphasizes correctness
(Rust).
</li>
<li>
autofix.ci's main author has extensive practical (building security software, organizing and
playing CTF security competitions) and theoretical security experience (CS PhD
from a security group).
</li>
</ol>
<h5 id="workflow-name">Why does the workflow name have to be "autofix.ci"?</h5>
<p>
Consider a repository with two workflows: <samp>autofix.ci</samp> and <samp>compromised_workflow</samp>.
We have an attacker that can execute code in <samp>compromised_workflow</samp>. However, this workflow
is locked down to <code>permissions: {contents: read}</code>.
</p>
<p>
If arbitrary workflow names were allowed, the attacker could upload an "autofix.ci" artifact from
the compromised workflow, and then manually call the autofix API. This privilege escalation path is mitigated
by requiring that the artifact is upload from a specific workflow.
</p>
<p>The server-side check is repeated in
the action's code to provide immediate feedback.
</p>
<h5 id="permissions">What does the GitHub App request permissions for?</h5>
<dl>
<dt><code>contents:write</code></dt>
<dd>This permission is necessary to push the fix commit.</dd>
</dl>
<dt><code>actions:write</code></dt>
<dd>This permission is used to cancel all other workflows associated with a commit when fixing it
(configurable via the <samp>fail-fast</samp> option in
<a href="https://github.com/autofix-ci/action/blob/main/action.yml">action.yml</a>).</dd>
<dt><code>pull-requests:write</code></dt>
<dd>This permissions is used to add comments to pull requests.
autofix.ci uses comments to inform external contributors that their PR needs
fixing if they did not enable the "allow edits by maintainers" option.</dd>
<dt><code>checks:write</code></dt>
<dd>This permission is used to add commit statuses.
When autofix.ci fails to fix a branch (for example due to branch protection rules),
it creates a commit status with an explanation.</dd>
<dt><code>metadata:read</code></dt>
<dd>This permissions is mandatory for all GitHub Apps.</dd>
</dl>
<h2 class="mt-4">Reporting a Vulnerability</h2>
<p>
We ask that you do not report security issues to our normal GitHub issue tracker.
If you believe you've identified a security issue with autofix.ci, please report it to
{{ email("[email protected]") }}.
</p>
<p>
Once you've submitted an issue via email, you should receive an acknowledgment within 48 hours,
and depending on the action to be taken, you may receive further follow-up emails.
</p>
<h2 class="mt-4">Bug Bounty</h2>
<p>
For the responsible disclosure of critical vulnerabilities that could compromise the integrity or
confidentiality of our users' GitHub repositories, autofix.ci pays a bug bounty of up to one month
of autofix.ci's total revenue.
</p>
<p>
We will not bind you to any additional terms or have you sign an NDA when you report a
vulnerability. However, bounty payments, if any, will be determined by autofix.ci, in autofix.ci's
sole discretion. In no event shall autofix.ci be obligated to pay you a bounty for any submission.
If you are unhappy with how autofix.ci is handling the disclosure process, you may walk away at any
moment and publish your findings (but not any sensitive data you may have had access to) in the
public.
</p>
</div>
</div>
</main>
{% endblock %}