GHSL-2020-319: Arbitrary code execution in pangeo-data/climpred workflows

Coordinated Disclosure Timeline

• 2020-11-30-2020-12-01: Report sent to various maintainers.
• 2021-01-22: No reply. Asked for the contact publicly.
• 2021-01-22-23: Fix. Feedback. Additional fix.
• 2021-01-23: Issue resolved.

Summary

The climpred_installs.yml and climpred_testing.yml GitHub workflows in multiple branches are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

pangeo-data/climpred GitHub repository

Tested Version

For example, the latest changeset 123e181 and b47a7e4 to the date.

Details

Issue: Untrusted code is explicitly checked out and run on a Pull Request from a fork

Workflows triggered on pull_request_target have read/write tokens for the base repository and the access to secrets. By explicitly checking out and running the build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets. More details can be found in the article Keeping your GitHub Actions and workflows secure: Preventing pwn requests.

climpred_installs.yml:

on: pull_request_target
...
    - uses: actions/checkout@v2
      with:
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
...
      run: |
        python -m pip install --upgrade pip
        pip install -e .
...

The pip install -e . runs setup.py which is controlled by attacker.

climpred_testing.yml:

on: pull_request_target
...
      - uses: actions/checkout@v2
        with:
          ref: ${{github.event.pull_request.head.ref}}
          repository: ${{github.event.pull_request.head.repo.full_name}}
      - name: Install Conda environment
        uses: conda-incubator/setup-miniconda@v1
        with:
          auto-update-conda: true
          activate-environment: climpred-minimum-tests
          environment-file: ci/requirements/minimum-tests.yml
          python-version: ${{ matrix.python-version }}
      - name: Conda info
        shell: bash -l {0}
        run: conda info
      - name: Conda list
        shell: bash -l {0}
        run: conda list
      - name: Run tests
        shell: bash -l {0}
        run: |
          conda activate climpred-minimum-tests
          pytest --cov=climpred --cov-report=xml
...

The ci/requirements/minimum-tests.yml is controlled by attacker, but even the existing one contains - -e ../.. which runs setup.py from pull request.

Impact

The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-319 in any communication regarding this issue.