I get the point, it shouldn't be like that at all.
But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this.
It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).
I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.
Are any of them actually exploitable in the context of a GitLab runner that doesn't use them? This feels like a security company looking for ways to justify their existence.
Hey, I'm a co-founder of Bomfather, we just stumbled upon this problem when we were building our product. Our product doesn't actually secure this, the best solution is to just run your own private runner.
We are a security startup and we wanted to know what goes into our build server (which happened to be GH runners). We took a deeper look in the Ubuntu-latest runners and went down the rabbit hole.
I get the point, it shouldn't be like that at all. But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this.
It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).
I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.
Thanks for your thoughts!
Yeah, that is exactly what we thought, so we are migrating our runner to our own infra.
Are any of them actually exploitable in the context of a GitLab runner that doesn't use them? This feels like a security company looking for ways to justify their existence.
Hey, I'm a co-founder of Bomfather, we just stumbled upon this problem when we were building our product. Our product doesn't actually secure this, the best solution is to just run your own private runner.
We are a security startup and we wanted to know what goes into our build server (which happened to be GH runners). We took a deeper look in the Ubuntu-latest runners and went down the rabbit hole.