RyotaK's Blog 技術的な話とか
タグ Supply Chain を持つ記事:

GitHub Actionsにおける設定ミスに起因したGitHubスタッフのアクセストークン漏洩

(You can read this article in English here.) 免責事項 GitHubはBug Bountyプログラムを実施しており、その一環として脆弱性の診断行為をセーフハーバーにより許可しています。 本記事は、そのセーフハーバーの基準を遵守した上で調

Stealing GitHub staff's access token via GitHub Actions

(この記事は日本語でも読むことが出来ます。) Disclaimer GitHub is running a bug bounty program on HackerOne, and as part of this program, vulnerability research is permitted by the safe harbor. This article describes a vulnerability that I discovered as a result of my investigation in compliance with the safe harbor criteria and is not intended to encourage unauthorized vulnerability research activities. If you find a vulnerability on GitHub, please report it to GitHub Bug Bounty. TL;DR In the actions/runner repository, which hosts the source

Arbitrary package tampering in Deno registry + Code Injection in encoding/yaml

(この記事は日本語でも読むことが出来ます。) Disclaimer Deno Land Inc., which develops Deno, isn’t running bug bounty programs, so they don’t explicitly allow vulnerability assessments. This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting/demonstrating the vulnerabilities and it’s not intended to encourage you to perform an unauthorized vulnerability assessment. If you find any vulnerabilities in Deno-related services/products, please report them to [email protected] Also, the information contained in this article may be inaccurate

Denoのレジストリにおける任意パッケージの改竄 + encoding/yamlのCode Injection

(You can read this article in English too.) 免責事項 Denoを開発しているDeno Land Inc.は、脆弱性報奨金制度等を実施しておらず、脆弱性の診断行為に関する明示的な許可を出していません。 本記事は、公開されている情報を元に脆弱性の

npmの@typesスコープにおける任意のパッケージの改竄

はじめに @typesスコープを管理しているDefinitely Typedは、Microsoftから支援を受けているものの、Microsoftの脆弱性報奨金制度におけるセーフハーバーの対象ではありません

Tampering with arbitrary packages in @types scope of npm

Preface Definitely Typed, a project which manages npm packages inside the @types scope, is supported by Microsoft. However, it is not in the scope of the safe harbor for Microsoft’s bug bounty program.1 This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities. This article is not intended to encourage you to perform an unauthorized vulnerability assessment. If you find any vulnerabilities in Definitely Typed related products, please report them to members of Definitely Typed. TL;DR There were vulnerabilities in the pull request management bot of Definitely Typed, which allowed an attacker to merge a malicious pull request into DefinitelyTyped/DefinitelyTyped.

Potential remote code execution in PyPI

Preface (日本語版も公開されています。) While PyPI has a security page, they don’t have a clear policy for vulnerability assessments.1 This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities. This article is not intended to encourage you to perform an unauthorized vulnerability assessment. If you find any vulnerabilities in PyPI, please report them to [email protected] TL;DR There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request

PyPIにおける潜在的な任意コード実行

はじめに (English version is also available.) PyPIは、セキュリティページ自体は公開しているものの、脆弱性診断行為に対する明確なポリシーを設けていません。1 本記事は、公開されている情報を元に脆弱性の存在を推測し、実際に検証する

Cloudflareのcdnjsにおける任意コード実行

はじめに (English version is also available.) cdnjsの運営元であるCloudflareは、HackerOne上で脆弱性開示制度(Vulnerability Disclosure Program)を設けており、脆弱性の診断行為を許可しています。 本記

Remote code execution in cdnjs of Cloudflare

Preface (日本語版も公開されています。) Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments. This article describes vulnerabilities reported through this program and published with the permission of the Cloudflare security team. So this article is not intended to recommend you to perform an unauthorized vulnerability assessment. If you found any vulnerabilities in Cloudflare’s product, please report it to Cloudflare’s vulnerability disclosure program. TL;DR There was a vulnerability in the cdnjs library update server that could execute arbitrary