We are a security startup and we wanted to know what goes into our build server (which happened to be GH runners). We took a deeper look in the Ubuntu-latest runners and went down the rabbit hole.
I get the point, it shouldn't be like that at all.
But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this.
It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).
I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.
Are any of them actually exploitable in the context of a GitLab runner that doesn't use them? This feels like a security company looking for ways to justify their existence.
4 comments
[ 2.9 ms ] story [ 16.9 ms ] threadIt's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).
I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.