GHSL-2020-194: Command injection in drewmullen/actions-playground workflows

Coordinated Disclosure Timeline

• 2020-10-16: Report sent to maintainers.
• 2020-12-01: Maintainers acknowledged.
• 2021-01-14: 90 days passed since report was sent.

Summary

The comment.yml and output_comment.yml GitHub workflows are vulnerable to arbitrary command injection.

Product

drewmullen/actions-playground GitHub repository

Tested Version

comment.yml and output_comment.yml GitHub workflows from the master branch.

Details

Issue: The Pull Request comment is used to format a shell command

When a user comments on a Pull Request with build or echo it automatically starts the comment.yml or output_comment.yml GitHub workflows. The comment text is used to format a bash script.

on:
  issue_comment:
    types: [created]
jobs:
  build:
    if: >
      startsWith(github.event.comment.body, 'build')
      && startsWith(github.event.issue.pull_request.url, 'https://')
    runs-on: ubuntu-latest
    steps:
    - name: print comment body
      run: echo ${{ github.event.comment.body }}
  
    - name: set body comments
      run: |
        set -eu
        build_dir=$( cut -d ' ' -f 2 <<< '${{ github.event.comment.body }}' )
        buckets=$( cut -d ' ' -f 3- <<< "${{ github.event.comment.body }}" )
...

and

on:
  issue_comment:
    types: [created]
jobs:
  echo-chamber:
    if: >
      startsWith(github.event.comment.body, 'echo')
      && startsWith(github.event.issue.pull_request.url, 'https://')
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
...
    - name: set body comments
      id: listen
      run: |
        set -eu
        content=$( cut -d ' ' -f 2 <<< '${{ github.event.comment.body }}' )

Impact

The repository is vulnerable itself and demonstrates unsafe practices that allow for arbitrary command injection into a bash script. For a Proof of Concept comment with build; exit 1.
This arbitrary command injection potentially allows exfiltration of secrets used by the build runner. To make the attack less visible the attacker may modify the comment later.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-194 in any communication regarding this issue.