Security research without leaving GitHub: from code scanning to CVE with Codespaces and private vulnerability reporting.

Hello dear readers! Have you ever wondered how GitHub Security Lab conducts security research? In this article, you will learn how we leverage GitHub products and features such as code scanning, CodeQL, Codespaces, and private vulnerability notification. By the time we finish, you will have mastered the art of quickly setting up a clean and temporary environment for discovering, verifying, and disclosing vulnerabilities in open source software (OSS).

As you explore the content of this article, you will notice that we cover a wide range of GitHub tools. If you have feedback or questions, we encourage you to participate in our community discussions. Rest assured that this article is designed to be accessible to readers regardless of their previous familiarity with the mentioned tools. So let’s embark on this journey together!

The concept of an “interesting target” may have different meanings for each of you based on the goal of your research. To find an “interesting target” and also to make this fun, you will need to set some filters first, unless you truly want to dive into anything. From the language in which the project is written, to the surface it exposes (is it an application? a framework?), each aspect is important to have a clear target.

Many times, we need to extensively search for the use of a specific method or library. Whether it’s for inspiration to use it, or to exploit it, GitHub code search is there for us. We can use this feature to search across all public GitHub repositories with language, path, and regular expression filters.

For example, one of these aspects is usually the number of people using the project (i.e., those who would be affected if a vulnerability occurred), which is provided by GitHub’s dependency graph, but it doesn’t end there: we are also interested in how often the project is updated, the number of stars, recent contributors, etc. Fortunately for us, some very smart minds at the Open Source Security Foundation (OpenSSF) have already done considerable work in this area.

The OpenSSF created the Open Source Project Criticality Score, which “defines the influence and importance of a project. It is a number between 0 (less critical) and 1 (more critical).” For more information on the details of the scoring algorithm, they can be found in the ossf/criticality_score repository. A few months after the release, Google gathered information for the top 100,000 GitHub repositories and shared it in a spreadsheet.

At GitHub Security Lab, we are continually analyzing OSS projects with the goal of keeping the software ecosystem secure, focusing on high-profile projects that we all depend on and trust. To find these, we base our target lists on the OpenSSF criticality score.

We published our code review of Frigate where we exploited user-controlled data deserialization using the default PyYaml loader. It’s a great project to use as an example in this article, given its over 1.6 million downloads of the Frigate container at the time of writing and the ease of the setup process.

Once we have identified our target, let’s fork the repository.

When code scanning is “connected” with a static analysis tool like GitHub’s CodeQL, that’s when the magic happens. CodeQL is GitHub’s static code analysis engine developed to automate security checks. CodeQL performs semantic and data flow analysis, “allowing you to query code as if it were data.” The learning curve of CodeQL can be steep at the beginning, but it’s worth the effort as its data flow libraries provide a solution for any kind of situation.

With the default setup of CodeQL, you will already find impactful issues. However, if you are a security team like GitHub Security Lab, you may prefer to use a different set of auditing models and queries that have a low false negative rate, or community-driven custom models for your specific target or methodology. With that in mind, we recently released our CodeQL Community Packs, and using them is as easy as a line in your workflow file.

A few minutes later, the results will be displayed in the Security tab; let’s take a closer look!

While you might think running CodeQL locally would be easier, code scanning provides additional built-in mechanisms to avoid duplicate alerts, prioritize them, or dismiss them. Also, the amount of information provided by a single alert page can save you a lot of time. This view answers some key questions instantly: what, where, when, and how. To see the full flow, click on “Show paths.”

Now that we are confident about the exploitability of the issue, we can move on to the exploitation phase.

Codespaces is GitHub’s solution for instant and customizable cloud-based development environments based on Visual Studio Code. We will use Codespaces as our exploitation environment due to its secure (isolated) and ephemeral nature, as we are one click away from creating and deleting a code space. Although this feature has its own billing, we will use the 120 free core hours per month.

Once we have validated the vulnerability and built a proof of concept (PoC), we can use the private vulnerability report to communicate privately with the maintainers of Frigate.

Reporting vulnerabilities in open source projects has never been an easy topic for many reasons: finding a private way to communicate with the maintainers, getting their response, and agreeing on so many issues a vulnerability covers is quite challenging in a text channel. That’s what the private vulnerability report (PVR) solves: a single private and interactive place where security researchers and maintainers work together to make their software safer and their consumers more aware.

In today’s technical environment, GitHub serves as a valuable resource for security researchers. With tools like code scanning, Codespaces, and integrated private vulnerability notification on the platform, researchers can effectively identify and address vulnerabilities from start to finish.

This comprehensive strategy not only simplifies research, but also enhances the global cybersecurity community. By offering a secure, collaborative, and efficient platform for detecting and addressing potential threats, GitHub empowers both experienced security professionals and aspiring researchers. It is the ideal destination to bolster security and stay ahead of the ever-changing threat landscape. Happy coding and researching!

Referrer: MiMub in Spanish

Scroll to Top
×