GHSL-2020-182: Code injection in JonathanGin52/JonathanGin52 workflow

Coordinated Disclosure Timeline

• 10/14/2020: Report sent to vendor
• 10/15/2020: Vendor acknowledges report receipt
• 10/15/2020: Issue fixed

Summary

The ‘Connect4’ GitHub workflow is vulnerable to arbitrary code execution.

Product

JonathanGin52 GitHub repository

Tested Version

connect4.yml from the Master branch.

Details

Issue: The title of a public GitHub Issue is used to format Ruby code before it runs

When a user creates an Issue with a special title it automatically starts the connect4.yml GitHub workflow. The title of the public issue is used without sanitization to format Ruby code:

    - name: Play
      run: |
        ruby <<- EORUBY
          require './connect4/runner'
          
          Connect4::Runner.new(
            github_token: '${{ secrets.GITHUB_TOKEN }}',
            issue_number: ENV.fetch('EVENT_ISSUE_NUMBER'),
            issue_title: '${{ github.event.issue.title }}',
            repository: ENV.fetch('REPOSITORY'),
            user: ENV.fetch('EVENT_USER_LOGIN'),
          ).run
        EORUBY

Impact

This vulnerability allows for arbitrary Ruby code execution. The injected code may exfiltrate the temporary GitHub repository authorization token from .git/config to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.
For a proof of concept create an issue with a title Iconnect4|' + raise('asdf') + '. Observe the thrown asdf exception in the action log.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-182 in any communication regarding this issue.