GHSL-2020-240: Command injection in scikit-learn/scikit-learn workflow

Coordinated Disclosure Timeline

• 2020-11-26-2020-12-01: Report sent to various maintainers.
• 2020-12-01: Report acknowledged.
• 2020-12-01: Issue resolved.

Summary

The ‘sync_pull_request.yml’ GitHub workflow is vulnerable to arbitrary command injection.

Product

scikit-learn/scikit-learn GitHub repository

Tested Version

The latest changeset 12f1521 to the date.

Details

Issue: The forked branch name is used to format a shell command

When a label ci sync is assigned to a PR it automatically starts the GitHub workflow. The forked branch name is used to format a bash script.

name: Sync Pull Request
on:
  pull_request_target:
    types: [labeled]

jobs:
  sync_pull_request:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'ci sync')
    steps:
...
      - name: Sync with master
        run: |
          set -xe
          git remote add pr_remote ${{ github.event.pull_request.head.repo.html_url }}
          git fetch pr_remote ${{ github.event.pull_request.head.ref }}
...

If an authorized person is tricked into assigning the label on a specially crafted PR this vulnerability allows for arbitrary command injection into the bash script. For a Proof of Concept create a PR from branch named main;echo${IFS}"abc";exit${IFS}0.

Impact

The injection allows for exfiltration of the temporary GitHub repository authorization token to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-240 in any communication regarding this issue.