Releases
Overview
Github provides the release functionality as a way to publish iterations of packaged software as releases. Releases include a compresed snapshot of the source code as .zip
and .tar.gz
files. Additionally, Github allows you to add extra files that you can attach when creating or editing a release. Moreover, these extra files can be modified after a release has been created.
To reproduce the issue follow the next steps:
Create a public repository on Github
Create a release and add
test.sh
fileInvite an
attacker
user as a collaboratorattacker
can edit the release and modifytest.sh
fileThere is no indication the release was modified in Github UI
In other words, an attacker can compromise the account of any project collaborator and modify releases without the knowledge of project owners. This is possible for the following reasons:
Release assets can be modified after initial publication (excluding source code snapshots)
Any project collaborators can modify releases. There are no permissions to allow an owner to prevent a release from being changed
UI does not notify or indicate that a release has been modified (the releases API exposes additional information about release assets)
The
verified
flag is displayed if a git commit has been verified (this only applies to the source code snapshot, not extra files)
References
Last updated