February 3, 2021

GHSL-2020-334: Arbitrary code execution in gsantner workflows

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 2020-12-11: Report sent to maintainers.
  • 2020-12-22: Maintainers acknowledged.
  • 2020-12-22: Issue resolved.

Summary

The markor/build-android-project.yml, memetastic/build-android-project.yml and dandelion/link-validator.yml GitHub workflows are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

gsantner/markor, gsantner/memetastic and gsantner/dandelion GitHub repositories.

Tested Version

The latest changesets 6cc10bc, 3c270f3 and ff62aa5 to the date.

Details

Issue: Untrusted code is explicitly checked out and run on a Pull Request from a fork

pull_request_target was introduced to allow triggered workflows to comment on PRs, label them, assign people, etc.. In order to make it possible the triggered action runner has read/write token for the base repository and the access to secrets. In order to prevent untrusted code from execution it runs in a context of the base repository.

By explicitly checking out and running build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets.

on: [push, pull_request_target]

jobs:
  build:
    if: "!contains(github.event.head_commit.message, 'ci skip') && (!contains(github.event_name, 'pull_request') || (contains(github.event_name, 'pull_request') && github.event.pull_request.head.repo.full_name != github.repository))"
...
    - name: "Checkout: Code (PR)"
      uses: actions/checkout@v2
      if: "contains(github.event_name, 'pull_request')"
      with:
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
...
    - name: "Build: Project with make"
      run: make clean all
...

Impact

The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-334 in any communication regarding this issue.