phpgt Dom GITHUB_TOKEN Exposure Vulnerability in Workflow Artifact

A vulnerability exists in phpgt Dom versions prior to 4.1.8, where the GITHUB_TOKEN is inadvertently exposed in the workflow run artifact. The issue arises because the ci.yml workflow uploads a zip file of the current directory, which includes the .git/config file containing the GITHUB_TOKEN. This token can be extracted and used with the GitHub API to push malicious code or alter release commits in the repository. Although the token's validity is limited to the workflow run duration, there is a brief window for exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized use of the GITHUB_TOKEN, enabling an attacker to push malicious code or modify release commits in the affected repository. This could lead to the introduction of backdoored code, especially if the altered release commits are downloaded by users.

Reproduction

To reproduce this vulnerability, monitor for runs of the ci.yml workflow in a repository using phpgt Dom prior to version 4.1.8. Once a workflow run is detected, wait for the build artifact to be uploaded. Download and extract the artifact to access the GITHUB_TOKEN from the .git/config file. The token can then be used with the GitHub API to push a commit with malicious code or to rewrite release tags, directing users to download the backdoored code.

Remediation

Users can update to phpgt Dom version 4.1.8 or later, where this vulnerability has been fixed.