Coordinated Disclosure Timeline
- 2021-02-04: Issue reported to maintainers
- 2021-02-04: Report acknowledged
- 2021-02-23: Issue fixed
Summary
The bloat.yml GitHub workflow in linebender/druid, linebender/runebender and linebender/norad is vulnerable to unauthorized modification of the base repository or secrets exfiltration.
Product
linebender/druid repository
linebender/runebender repository
linebender/norad repository
Tested Version
The latest version of bloat.yml to the date.
Details
Issue: A specific comment triggers a potentially untrusted pull request build in a privileged environment
When a user comments on a pull request it triggers the following workflow, that checks out the pull request and builds the potentially untrusted code:
on:
issue_comment:
types: [created, edited]
...
# if it isn't an issue comment run every time, otherwise only run if the comment starts with '/bloat'
if: (!startsWith(github.event_name, 'issue_comment') || startsWith(github.event.comment.body, '/bloat'))
steps:
...
- name: build head
if: steps.get_revs.outputs.base != steps.get_revs.outputs.head
uses: actions-rs/cargo@v1
with:
command: build
args: --release --examples
Impact
The triggered workflow has access to the write repository token and secrets. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-048 in any communication regarding this issue.