Coordinated Disclosure Timeline
- 10/16/2020: Report sent to vendor
- 10/20/2020: Issue fixed
Summary
The ‘plugin-prechecks.yml’ GitHub workflow is vulnerable to arbitrary code execution, that may lead to the repository being compromised.
Product
homebridge/verified GitHub repository
Tested Version
plugin-prechecks.yml from the master branch.
Details
Issue: The tested npm package may use the temporary GitHub authorization token to make arbitrary changes in the repository
When a user creates a public issue or comments on an existing issue with /check it automatically starts the plugin-prechecks.yml GitHub workflow. The body of the issue is used in the custom precheck action.
const matches = issueBody.split('\n')
.map((line) => {
const match = line ? line.match(/(https?:\/\/.[^ ]*)/gi) : null
if (match) {
return match.find((x) => x.includes('npmjs.com/package'));
}
})
.filter((m) => m)
.map((x) => {
const pluginName = x.split('/').splice(4).join('/').replace(/[^a-zA-Z0-9@\\/-]/g, '');
return pluginName;
});
...
const proc = child_process.spawn('npm', ['install', this.packageName], {
cwd: this.testPath,
Impact
Since npm install also executes post install scripts from the package this leads to arbitrary code execution of untrusted npm packages in the context of a GitHub action runner. It makes a temporary GitHub repository token available to the potentially malicious code which can be used to modify the repository content or run any malicious code in the hosted environment.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-185 in any communication regarding this issue.