On August 13th, Yaron Avital, a researcher at Unit 42 of Palo Alto Networks released research titled ArtiPACKED which outlines a potential vulnerability that may be present in your GitHub repositories. If you are using the GitHub Action actions/upload-artifact you may be configured in a way that exposes your GitHub Tokens to an attacker that can race to use your token to attack your pipeline.
For organizations with an extensive GitHub footprint, trying to understand if you are vulnerable to such an exploit can be complicated, especially if you have multiple GitHub organizations and hundreds to thousands of repositories within each GitHub organization.
The best place to start would be to identify all repositories that use the actions/upload-artifact GitHub Action to persist data beyond workflow runs.
We wrote a quick python script to search through all repositories within specified GitHub organizations that looks for specific strings within the .github directory of each repository. It utilizes the GitHub GraphQL API to efficiently fetch organizations and repositories and then iterates through them to find any matching content.
Simply run the following command to crawl your entire Github environment for the string actions/upload-artifact.
python3 main.py -orgs org1 org2 org3 -strings actions/upload-artifact
If you are trying to search through multiple GitHub organizations, the Personal Access Token (PAT) being used must have the repository:read permission to all GitHub organizations specified in the command.
To speed up the search process, we are only searching the .github folder of each repository and looking for files that end with .yml or .yaml. The script can be modified to search for all files in all folders. Beware of hitting GitHub rate-limits depending on how many repositories exist within the GitHub organizations.
Browse to https://github.com/ArctiqTeam/github-repo-searcher for complete usage documentation.
Once you have identified the potentially impacted workflows YAMLs, you can investigate to see if the path used creates the vulnerability and modify it to a more specific path, which excludes the .git folder. You could also replace the instance of upload-artifact@v4 with the OSS Palo Alto Networks version, upload-secure-artifact, using PaloAltoNetworks/upload-secure-artifact@main which will halt the action if it detects an unsafe method.
As a Certified Palo Alto Partner, Arctiq proudly leverages our partnership with Palo Alto Networks to offer cutting-edge solutions and services. Our expert team is dedicated to enhancing your GitHub workflows and overall security posture.
For personalized guidance and to address your unique security needs, contact Arctiq today. With support from Palo Alto Networks, we are here to help you achieve a robust, secure environment.
