External Contributors and pull_request_target

By default, forked Github repos will only get read level access to the Github API within their Github Actions when they make a Pull Request. We should not be able to escalate their permissions using the permissions config as long as Send write tokens to workflows from pull requests is not enabled.

However, we could still improperly use pull_request_target to enable forked repos to get write Github API access. With write Github API access an attacker could modify or create a release with a malicious wasm file for example.

We should avoid using pull_request_target.

If we really need to use it we should carefully ensure the following is true of that Github workflow:

It must use default checkout:

By default the Github checkout action actually pulls the head of main and not the head of the pull request IF the workflow is of the type pull_request_target. This allows us to only checkout code from main with the write access.

If we are overriding the ref like so:

    # DO NOT DO THIS
    - uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.sha }}

Then we will be allowing forked repositories to run their own unverified code with write level Github API access in this Github Action.

This is extremely problematic because pull_request_target auto runs, EVEN if the contributor is a first time contributor, because it is a part of the main repo and not the fork. They would be able to pwn us immediately on creating the PR, without waiting for us to "run the actions".

It doesn't save cache:

This pull_request_target cache is shared with the base repo, so it could be tainted with arbitrary code. This means we should not save the cache at the end of this workflow. By default, forked repos use their own cache, not the target repo's cache.

More information: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/