Security researcher Adnan Khan has received a $30,000 bug bounty from Google for a vulnerability in the Google Cloud Build service that could have allowed attackers to bypass maintainer code reviews and submit malicious code to customer repos.

Who's SHA is it Anyway: Bypassing Google Cloud Build Comment Control for $30,000

Overview I reported a subtle race condition in Google Cloud Build’s GitHub integration that could have allowed someone to bypass maintainer review when running pull request integrations tests. Google Cloud Build is a managed CI/CD platform that integrates with third-party source code management systems like GitHub. Since CI/CD systems are essentially code execution as a service, access control becomes very important. When a Google Cloud Build customer integrates with GitHub, they can configure a number of triggers - essentially events on GitHub that will trigger a Google Cloud Build execution. One of these triggers is on pull request. To reduce the risk of poisoned pipeline execution on public and inner-source repositories, Google Cloud Build has a “comment-control” feature that requires maintainers to create a comment in order to trigger a build from an untrusted contributor. I found that developers had baked a Time-of-Check-Time-of-Use (TOCTOU) vulnerability into this feature. Google has since mitigated the issue.