February 3, 2021

GHSL-2020-239: Command injection in NVIDIA/spark-rapids workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 2020-11-26: Report sent to maintainers.
  • 2020-11-26:: Issue resolved.

Summary

The 'blossom-ci.yml' GitHub workflow is vulnerable to arbitrary command injection.

Product

NVIDIA/spark-rapids GitHub repository

Tested Version

The latest changeset 6c020cc to the date.

Details

Issue: The forked branch name is used to format a shell command

When an authorized user comments on a specially crafted pull request with build it automatically starts the GitHub workflow. The forked branch name is used to format a bash script.

on:
  issue_comment:
    types: [created]

jobs:
  authorization:
    name: Authorization
    # trigger on pre-defined text
    if: github.event.comment.body == 'build'
    runs-on: [self-hosted, linux, blossom]
    steps:
      - name: Check if comment is issued by authorized person
        run: blossom-ci
...
  vulnerability-scan-job:
    name: Vulnerability scan job
    needs: [authorization]
    runs-on: ubuntu-latest
    steps:
      - name: Get pull request data
        id: pull_request_data
        uses: octokit/request-action@v2.x
        with:
          route: 'GET /repos/:repository/pulls/:issue_id'
          repository: ${{ github.repository }}
          issue_id: ${{ github.event.issue.number }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Set blackduck project version
        id: blackduck-project-version
        run: echo "${{ fromJson(steps.pull_request_data.outputs.data).head.ref }}-${{ github.run_id }}"

It is assumed the blossom-ci doesn't allow triggering the workflow for external users. If an authorized person is tricked into commenting build on a PR this vulnerability allows for arbitrary command injection into the bash script. For a Proof of Concept create a PR from branch named a";echo${IFS}"hello"#.

Impact

The injection allows for exfiltration of secrets and the temporary GitHub repository authorization token to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-239 in any communication regarding this issue.