The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories.No action is required by users due to this incident. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.Ī single cask was compromised with a harmless change for the duration of the demonstration pull request until its reversal. This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection.
The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. We subsequently reverted the PoC pull request, disabled and removed the automerge GitHub Action and disabled and removed the review-cask-pr GitHub Action from all vulnerable repositories. A proof-of-concept (PoC) pull request demonstrating the vulnerability was submitted with our permission.
The approval would then trigger the automerge GitHub Action which would merge the approved pull request.
Whenever an affected cask tap received a pull request to change only the version of a cask, the review-cask-pr GitHub Action would automatically review and approve the pull request. On 18th April 2021, a security researcher identified a vulnerability in our review-cask-pr GitHub Action used on the homebrew-cask and all homebrew-cask-* taps (non-default repositories) in the Homebrew organization and reported it on our HackerOne.