Weaponizing Dependabot: Pwn Request at its finest

Summary

TL;DR: Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code. This doesn’t stop here. It can escalate to full command injection via crafted branch names and even bypass branch protection rules. Plus, we disclose two new TTPs to build upon previously known techniques. Introduction Ah, Dependabot! GitHub's built-in butler, tirelessly checks if your dependencies are fresh and, if not, prepares a PR with the updates. What a lifesaver, right? But, as with any cog in an automated system, there’s always the potential for rust. In this story, it is the deputy confusion attack. Meet Dependabot: Your Automated Dependency Butler So, how does this magic work? You can boss Dependabot around using a .github/dependabot.yml file (check out the Dependabot options reference). Once active, Dependabot periodically scans your repo, guided by its config file. It also perks up and re-scans whenever you tweak this file or poke it via the https://github.com/<Owner>/<Repo>/network/updates tab. When Dependabot spots an outdated dependency, it kicks off a workflow (you'll see "Dependabot Updates" pop up in your Actions tab). Then, it creates a new branch, usually named something like dependabot/<module_type>/<registry>/<package_name>/<new_version>. Finally, it opens a Pull Request to your default branch with all the suggested changes. The "Confused Deputy" Problem: Wait, Who Asked You To Do That? Now, let's talk about the Confused Deputy Problem. It's a classic vulnerability class (CWE-441, if you're into that sort of thing) where a trusted party (our "deputy") is tricked by an attacker into performing an action. The deputy thinks it’s doing honest work, but it's carrying out the attacker's nefarious plan. Some workflows are sensitive – they might have special permissions or access to secrets, so many developers added a user check at the beginning of them. Just to make sure it was trig...