GHSL-2020-195: Arbitrary file write in dd-center/vdb workflow

Coordinated Disclosure Timeline

• 10/16/2020: Report sent to vendor
• 10/19/2020: Issue fixed

Summary

The ‘Submit.yml’ GitHub workflow is vulnerable to arbitrary file write, that may lead to the repository being compromised.

Product

dd-center/vdb GitHub repository

Tested Version

submit.yml from the master branch.

Details

Issue: The body of a public GitHub issue is parsed and used to define the path and the content of file write operation

When a user creates a public issue it automatically starts the submit.yml GitHub workflow. The body of the issue is used without validation in the submitPr.js action.

    - name: Commit Branch
      run: node submitPr.js
      env:
        ISSUE_NUMBER: ${{ github.event.issue.number }}
        ISSUE_BODY: ${{ github.event.issue.body }}
        GITHUB_TOKEN: ${{ secrets.gtoken }}

  const block = ISSUE_BODY.split('-----END SUBMIT BLOCK-----')[0].split('-----BEGIN SUBMIT BLOCK-----')[1]
  if (block) {
    await decodeBase64(block)
      .split('\n')
      .map(command => command.split(':'))
      .map(([command, arg, extra = '']) => [command, decodeBase64(arg), decodeBase64(extra)])
      .map(([command, arg, content]) => async () => {
        const path = join('vtbs', arg)
        if (command === 'delete') {
          await unlink(path)
          console.log('delete', path)
        }
        if (command === 'put') {
          await writeFile(path, content)
          console.log('put', path)
        }
...
  }

Impact

This vulnerability allows for arbitrary file overwrite, that may lead to the repository being compromised. For example an attacker may create an issue with a command to write into .git/config the attacker controlled proxy server address which will exfiltrate the temporary GitHub repository authorization token to the proxy server on the next git command in the same submitPr.js script. Although the token is not valid after the workflow finishes, the proxy may timeout the connection to give the malicious server time to modify the repository.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-195 in any communication regarding this issue.