Impact
github-action-merge-dependabot does not check if a the commit created by dependabot is verified with the proper gpg key. There is just a check if the actor is set to dependabot[bot] to determine if the pr is a legit PR. Theoretically an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if his own action has enough permissions to modify the PR in the pipeline. If so, he can modify the PR by adding a second seemingly valid and legit commit to the PR, as you can set arbitrarily the username and email in for commits in git. As the bot only checks if the actor is valid, it would pass the malicious changes through and merge it automatically, without getting noticed by project maintainers. Probably it would be not possible to determine where the malicious commit came in the first place, as it would only say "dependabot[bot" and the corresponding email-address.
In my opinion actions should be not trusted and auto merging PRs should be as safe as possible
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
https://hackerone.com/bugs?report_id=1564530
Uzlopak Analyst
Impact
github-action-merge-dependabot does not check if a the commit created by dependabot is verified with the proper gpg key. There is just a check if the actor is set to dependabot[bot] to determine if the pr is a legit PR. Theoretically an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if his own action has enough permissions to modify the PR in the pipeline. If so, he can modify the PR by adding a second seemingly valid and legit commit to the PR, as you can set arbitrarily the username and email in for commits in git. As the bot only checks if the actor is valid, it would pass the malicious changes through and merge it automatically, without getting noticed by project maintainers. Probably it would be not possible to determine where the malicious commit came in the first place, as it would only say "dependabot[bot" and the corresponding email-address.
In my opinion actions should be not trusted and auto merging PRs should be as safe as possible
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
https://hackerone.com/bugs?report_id=1564530