💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Overview
  • Code execution
  • Disclosure of release notes and commits of private repositories
  • References
  1. CI/CD
  2. GitHub

Dependabot

PreviousCode ownersNextRedirect

Last updated 2 years ago

Overview

Dependabot uses Github Actions and separate environment to run the checks. There are several public resources that can be helpful to review internal implementation details:

  • action that is responsible for running Dependabot updates.

  • action that is implemented core logic. Check out the of dependabot-core.

  • is a Docker image that launches scanning (includes dependabot-core as a component).

  • a Docker image with proxy that authenticates requests to certain Github API endpoints and allows dependabot not to disclose Github API token.

Code execution

Dependabot is able to gather information about dependencies from the manifests, such as or , which can be abused to execute an arbitrary code. Package managers with the values bundler, mix, and pip can be abused to execute external code in the manifest as part of the version update process. Therfore, if you can poison the manifest, you can execute an arbitrary code while Dependabot is running.

Check how to abuse manifests to gain code execution in the Parameters Injection page

Dependabot allows developers to prevent code execution by setting to deny. Moreover, Dependabot automatically sets insecure-external-code-execution to deny and prevents external code execution when a setting is used within an updates configuration. However, it may cause the version update to fail, so developers can override this behaviour by setting insecure-external-code-execution to allow and allow code execution.

Disclosure of release notes and commits of private repositories

If Dependabot detects non-updated dependencies, it will create a PR to bump versions of those dependencies. Dependabot adds an additional information about changes, which may contain release notes and a list of commits with missages. You can find an example of such PR in the following screenshot:

References

However, and it will add this data to a PR for a private dependency as well. Therefore, if a public project has private dependencies, Dependabot will disclose release notes and commits of those projects.

Dependabot supports private dependencies
Writeup: Diving into Dependabot along with a bug in npm
dependabot/updater-action
dependabot/dependabot-core
architecture
dependabot-updater
dependabot-update-job-proxy
setup.py
.gemspec
package-ecosystem
insecure-external-code-execution
registries