![fix brew cask fix brew cask](https://i.ytimg.com/vi/1oolnK1g6jw/maxresdefault.jpg)
Target filepath matches \ACasks/+\.rb\Z.The ruby script used by review.yml 4 fetches pull request contents as a diff file and parses it with git_diff Gem.Īnd then, it’ll approve the pull request only if all conditions below are met: Bumps version), it’ll approve these pull requests.Īfter that, automerge.yml automatically merges approved pull requests. It looks like review.yml checks the contents of the user-submitted pull request, and if that pull request is simple enough (e.g.
![fix brew cask fix brew cask](https://i.stack.imgur.com/ceyc7.png)
github/workflows/ directory of each repository.Īfter reviewing some repositories, I was very interested in review.yml and automerge.yml of Homebrew/homebrew-cask. Homebrew project uses GitHub Actions to run the CI scripts. Then, I started to read codes to check the second one. However, as GitHub has a feature to scan for leaked tokens, this type of vulnerability is not common these days.Īnd as expected, I couldn’t find any valid tokens. To check the first vulnerability, I cloned all repositories created by the member of Homebrew and scanned a token-like string. So, I started to check these 2 vulnerability types on repositories that are in scope. Vulnerabilities in the CI script that is used by the repository.Leakage of API tokens that has permission against the repository.I think the following two vulnerabilities are common in GitHub repositories: And I noticed that Homebrew/homebrew-* repository is in scope.Īs I’m not good at reading complicated Ruby codes, I decided to find a vulnerability in Homebrew/homebrew-*. To select the target, I looked at the policy page of the vulnerability disclosure program. Then, I remembered that I saw a program named Homebrew on HackerOne, so I decided to find the vulnerability in it. One afternoon, I had a slight time before my next appointment 1, so I decided to look for an interesting program on HackerOne.Īs I wanted to find a vulnerability in the software/services I was using, I looked around on my PC, and the brew command caught my eyes. In the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project.īy abusing it, an attacker could execute arbitrary Ruby codes on users' machine who uses brew. If you found any vulnerabilities in Homebrew, please report it to Homebrew project’s vulnerability disclosure program. This article describes a vulnerability assessment that is performed with permission from the Homebrew project’s staff and is not intended to recommend you to perform an unauthorized vulnerability assessment. Homebrew project is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform the vulnerability assessment. (Official blog post about this incident is available here: ) Preface