Summary

OpenDDS test logs are public and include GitHub automatic authentication tokens. These tokens can theoretically be used to authenticate as the test job to GitHub with access to repo OpenDDS/OpenDDS.

Details

1. Pull requests to https://github.com/OpenDDS/OpenDDS/pulls trigger tests via GitHub actions.
2. The test output ends up on http://scoreboard.ociweb.com/ .
3. Test output includes the environment variables from the job.
4. The environment variables include ACTIONS_RUNTIME_TOKEN, which is a GitHub automatic authentication token (https://docs.github.com/en/actions/security-guides/automatic-token-authentication)

I think this is caused by "print_env_vars" in the workflow definition:
https://github.com/OpenDDS/OpenDDS/blob/master/.github/workflows/build_and_test.yml#L316

PoC

1. Open http://scoreboard.ociweb.com/dds.html
2. Find a build of OpenDDS_GHA_cmake_w19_re_p1_stat_FM-08 and click the "Config" link.
3. Observe that the output includes ACTIONS_RUNTIME_TOKEN

You can paste the token into https://dinochiesa.github.io/jwt/ to view its content:

• "ac": "[{"Scope":"refs/heads/master","Permission":3}]"
• "ref":"refs/heads/master"
• "repository":"OpenDDS/OpenDDS"
• "repository_owner":"OpenDDS"
• "repository_visibility":"public"
• "actor":"jrw972"
• ,"workflow":"Build & Test"

Impact

I don't know what permission 3 includes, this may be read only or may be read/write. You can check by following https://docs.github.com/en/actions/security-guides/automatic-token-authentication