GHSL-2023-050: Command Injection in Apache Doris repository's CI workflow

Coordinated Disclosure Timeline

• 2023-03-10: Report sent to security@apache.org
• 2023-03-10: Report is acknowledged
• 2023-06-08: Deadline expires
• 2023-06-15: Fix is merged

Summary

Apache Doris repository is vulnerable to a Command Injection in auto_trigger_teamcity.yml.

Product

Apache Doris

Tested Version

4ddd303

Details

Actions command injection in auto_trigger_teamcity.yml (GHSL-2023-050)

The auto_trigger_teamcity.yml workflow is triggered on issue_comment (i.e., when a when a comment inside an Issue is created or updated). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.comment.body }} – the full contents of the comment), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing any used secret) and altering the repository.

run_compile_pipeline:
  if: contains(github.event.comment.body, 'buildall') && contains(github.event.comment.body, 'run') && !contains(github.event.comment.body, 'Thanks for your contribution')
  runs-on: ubuntu-latest
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  steps:
    - name: Run pipeline by restful
      run: |
        ...
        comment="${{ github.event.comment.body }}"
        ...

Proof of Concept

1. Create an Issue in apache/doris (the title is unrelated).
2. Comment the following in the created Issue: buildall run"; echo "This could be a command to exfiltrate GITHUB_TOKEN";# (without backticks)
3. Check the workflow runs for the new Actions run that will execute the command echo "This could be a command to exfiltrate GITHUB_TOKEN".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-050 in any communication regarding this issue.