The 'Submit.yml' GitHub workflow is vulnerable to arbitrary file write, that may lead to the repository being compromised.
dd-center/vdb GitHub repository
submit.yml from the master branch.
When a user creates a public issue it automatically starts the submit.yml GitHub workflow. The body of the issue is used without validation in the submitPr.js action.
- name: Commit Branch
run: node submitPr.js
env:
ISSUE_NUMBER: ${{ github.event.issue.number }}
ISSUE_BODY: ${{ github.event.issue.body }}
GITHUB_TOKEN: ${{ secrets.gtoken }}
const block = ISSUE_BODY.split('-----END SUBMIT BLOCK-----')[0].split('-----BEGIN SUBMIT BLOCK-----')[1]
if (block) {
await decodeBase64(block)
.split('\n')
.map(command => command.split(':'))
.map(([command, arg, extra = '']) => [command, decodeBase64(arg), decodeBase64(extra)])
.map(([command, arg, content]) => async () => {
const path = join('vtbs', arg)
if (command === 'delete') {
await unlink(path)
console.log('delete', path)
}
if (command === 'put') {
await writeFile(path, content)
console.log('put', path)
}
...
}
This vulnerability allows for arbitrary file overwrite, that may lead to the repository being compromised. For example an attacker may create an issue with a command to write into .git/config
the attacker controlled proxy server address which will exfiltrate the temporary GitHub repository authorization token to the proxy server on the next git command in the same submitPr.js
script. Although the token is not valid after the workflow finishes, the proxy may timeout the connection to give the malicious server time to modify the repository.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-195
in any communication regarding this issue.