skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
February 3, 2021

GHSL-2020-185: Arbitrary code execution in Plugins Verified by Homebridge workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The ‘plugin-prechecks.yml’ GitHub workflow is vulnerable to arbitrary code execution, that may lead to the repository being compromised.

Product

homebridge/verified GitHub repository

Tested Version

plugin-prechecks.yml from the master branch.

Details

Issue: The tested npm package may use the temporary GitHub authorization token to make arbitrary changes in the repository

When a user creates a public issue or comments on an existing issue with /check it automatically starts the plugin-prechecks.yml GitHub workflow. The body of the issue is used in the custom precheck action.

    const matches = issueBody.split('\n')
      .map((line) => {
        const match = line ? line.match(/(https?:\/\/.[^ ]*)/gi) : null
        if (match) {
          return match.find((x) => x.includes('npmjs.com/package'));
        }
      })
      .filter((m) => m)
      .map((x) => {
        const pluginName = x.split('/').splice(4).join('/').replace(/[^a-zA-Z0-9@\\/-]/g, '');
        return pluginName;
      });
...
      const proc = child_process.spawn('npm', ['install', this.packageName], {
        cwd: this.testPath,

Impact

Since npm install also executes post install scripts from the package this leads to arbitrary code execution of untrusted npm packages in the context of a GitHub action runner. It makes a temporary GitHub repository token available to the potentially malicious code which can be used to modify the repository content or run any malicious code in the hosted environment.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-185 in any communication regarding this issue.