Spotipy GitHub Actions Workflow Vulnerability Allows Secrets Exfiltration

A vulnerability in the Spotipy GitHub repository's Actions workflow has been identified, specifically in the integration_tests.yml file. This issue arises from the use of 'pull_request_target', which executes untrusted code from a pull request with full access to the base repository's secrets. As a result, an attacker could exfiltrate sensitive information such as the GITHUB_TOKEN, SPOTIPY_CLIENT_ID, and SPOTIPY_CLIENT_SECRET. The GITHUB_TOKEN is particularly critical, as it grants write permissions, allowing complete control over the repository.

Impact

Exploitation of this vulnerability allows for the exfiltration of the GITHUB_TOKEN, which can be used to gain full control over the repository, including the ability to write to the repository's content. Additionally, the vulnerability allows for the extraction of Spotipy-specific secrets, such as the SPOTIPY_CLIENT_ID and SPOTIPY_CLIENT_SECRET.

Reproduction

To reproduce this vulnerability, fork the Spotipy repository and create a pull request. In the pull request, add a malicious Python package that can exfiltrate the GITHUB_TOKEN. Once the pull request is merged, the integration_tests workflow will run and execute the malicious code, extracting the GITHUB_TOKEN and any other secrets.

Remediation

The vulnerability has been patched in commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f. It is recommended to remove 'pull_request_target' from workflows or manage its use carefully to avoid checking out untrusted code.