Workflows triggered on pull_request_target event potentially have access to secrets, privileged GITHUB_TOKEN permissions and access to cache token. Because of that under certain conditions it may lead to pwn request vulnerabilities.
Most GitHub Actions workflows run from the default repository branch. However workflows triggered on pull_request_target event run from the target branch of the pull request. It means that a repository may have multiple versions of the same workflow in different branches and attackers may choose which version to run by creating a pull request to a specific branch. To reduce the number of triggerable pull_request_target workflows it is recommended to use branch filters.
The pwn request scanner is a simple tool that doesn't go into depths of analyzing if the workflow with pull_request_target trigger is vulnerable or not, but it scans all repository branches for pull_request_target workflows that do not follow the best practice of using branch filters.
You can run the scanner as:
- GitHub Action in your repository. Just copy the sample workflow or fork the repository and run the workflow from your fork.
- Run
node dist/index.js owner/repoornode dist/index.js ownerin a codespace. - Locally running the index.js script from the dist folder. Set environment variable
GITHUB_TOKENto your Personal Access Token (PAT).