Security Vulnerabilities
Self Hosted Runner Network Risk

Self Hosted Runner Network Risk

Description

Self-hosted runners that download and execute code from the internet without verification create significant security risks: downloaded scripts may be malicious, there’s no verification of code integrity, and attackers can inject malicious payloads that compromise the runner. Once compromised, runners can be used to access internal networks, exfiltrate secrets, or perform lateral movement attacks. Network operations from self-hosted runners should be carefully controlled and verified. 1

Vulnerable Instance

  • Workflow downloads and executes scripts from the internet on self-hosted runners without verification.
  • No checksum verification or code review before execution.
  • Malicious code can compromise the runner and access internal resources.
name: Download and Run
on: [push]
jobs:
  setup:
    runs-on: self-hosted
    steps:
      - run: curl https://example.com/script.sh | bash  # Dangerous - no verification

Mitigation Strategies

  1. Download and verify scripts first
    Download scripts to files, verify checksums before execution, review script content if possible, and only then execute verified scripts.

  2. Use trusted sources
    Only download from trusted sources, use HTTPS with certificate verification, pin to specific versions/commits, and verify checksums.

  3. Store scripts in repository
    Store scripts in the repository rather than downloading from the internet. This allows code review and version control.

  4. Use GitHub Actions
    Prefer GitHub Actions instead of shell scripts downloaded from the internet. Actions are more transparent and can be pinned to specific versions.

  5. Implement network security controls
    Use network segmentation, implement firewall rules, monitor outbound connections, and use allowlists for permitted endpoints.

  6. Use containerized execution
    Run untrusted code in containers with minimal privileges. Avoid --privileged flag and use specific capabilities if needed.

Secure Version 

 name: Download and Verify
 on: [push]
 jobs:
   setup:
     runs-on: self-hosted
     steps:
-      - run: curl https://example.com/script.sh | bash  # Dangerous - no verification
+      - name: Download script
+        run: |
+          curl -fsSL -o setup.sh https://releases.example.com/v1.2.3/setup.sh
+      - name: Verify checksum before execution
+        run: |
+          # Format: "<sha256hash>  <filename>" (two spaces between hash and filename)
+          echo "a3f5b1c2d4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2  setup.sh" | sha256sum -c -
+      - name: Execute verified script
+        run: bash setup.sh

Note: The correct sha256sum verification syntax pipes "<hash> <filename>" (two spaces) into sha256sum -c -. Running echo "hash" | sha256sum -c script.sh is invalid and will not perform any verification.

Impact

DimensionSeverityNotes
LikelihoodMediumDownloading and executing scripts is common, but unverified downloads create high risk.
RiskHighMalicious scripts can fully compromise self-hosted runners, providing access to internal networks and secrets.
Blast radiusWideCompromised runners can affect all systems the runner can access, including internal networks, databases, and services.

References

  1. GitHub Docs, “About self-hosted runners,” https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners ↩︎ ↩︎

Last updated on
Self Hosted Runner Issue ExposureSelf Hosted Runner Pr Exposure