goshs ArtiPACKED Vulnerability Leading to GITHUB_TOKEN Leakage

An ArtiPACKED vulnerability has been identified in goshs versions prior to 2.0.0-beta.6. This vulnerability allows the GITHUB_TOKEN to be leaked through workflow artifacts, even though the token is not present in the repository's source code. The issue arises because the actions/checkout step, which defaults to persisting credentials, saves the token in the .git/config file. If an artifact is later uploaded that includes the .git directory, the token can be extracted and misused.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, such as pushing malicious code to repositories or exfiltrating other secrets.

Reproduction

The vulnerability can be reproduced by creating a GitHub Actions workflow that uses the actions/checkout step without disabling credential persistence. When the workflow runs, the GITHUB_TOKEN is saved in the .git directory. If the workflow then uploads an artifact that includes the .git directory, the token can be extracted from the uploaded files.

Remediation

To address the ArtiPACKED vulnerability, update the actions/checkout step in the affected workflows to version 4 and set persist-credentials to false. This change prevents the GITHUB_TOKEN from being saved in the .git directory, eliminating the risk of leakage through workflow artifacts.