GHSL-2021-031: Script injection in a GitHub workflow of hasura/graphql-engine

Coordinated Disclosure Timeline

• 2021-01-28: Issue reported to maintainers
• 2021-02-02: Maintainer acknowledged
• 2021-02-04: Issue fixed

Summary

The shadow-pr.yml GitHub workflow is vulnerable to script injection.

Product

hasura/graphql-engine repository

Tested Version

The latest changeset of shadow-pr.yml to date.

Details

Issue: A pull request title is used to format inline script

name: shadow pr
on:
  pull_request_target:
    types: [opened, synchronize, reopened]

jobs:
  open-pr:
    if: ${{ startsWith(github.event.pull_request.body, '<!-- from mono -->') != true }}
...
    - name: "Open pull request"
      uses: actions/github-script@v3
      with:
        github-token: ${{secrets.HASURA_BOT_GH_TOKEN}}
        script: |
...
          try {
            const pr = await github.pulls.create({
              owner: 'hasura',
              repo: 'graphql-engine-mono',
              head: 'oss_pr_refs/pull/${{ github.event.number }}/head',
              base: 'main',
              title: '${{ steps.pr.outputs.ossPrTitle }}',
              body,
            });

Impact

The workflow is vulnerable to arbitrary script injection which enables un-authorized modification of the base repository and secrets exfiltration. For a PoC create a pull request with the title a',body});console.log('test')/*. The permissions of HASURA_BOT_GH_TOKEN do not matter as it is possible to get a read-write GITHUB_TOKEN in the pull_request_target case.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-031 in any communication regarding this issue.