Coordinated Disclosure Timeline
- 2021-10-25: Report sent to maintainers.
- 2021-10-26: Maintainers acknowledged.
- 2021-10-27: Issue fixed.
Summary
Explorer GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Product
Solana
Tested Version
Commit 968aafd (2021-10-25).
Details
Issue 1: Unauthorized modification of the base repository or secrets exfiltration from a Pull Request (GHSL-2021-1032
)
The pull_request_target
used in Explorer GitHub workflow explicitly checks out potentially untrusted code from a pull request and runs it.
on:
...
pull_request_target:
branches:
- master
paths:
- 'explorer/**'
...
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
...
- run: npm i -g npm@7
- run: npm ci
- run: npm run format
- run: npm run build
- run: npm run test
By explicitly checking out and running a build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets. See Preventing pwn requests for more information.
A malicious user could create a pull request with a modified explorer/package.json
command.
Impact
The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.
While the workflow file looks like it’s under heavy development, please note that the window of opportunity for possible attacks was open between Oct 19, 2021, 9:51 PM GMT+3 - Oct 21, 2021, 10:10 AM GMT+3, Oct 22, 2021, 11:42 PM GMT+3 - Oct 22, 2021, 11:52 PM GMT+3 and Oct 23, 2021, 11:09 AM GMT+3 - Oct 25, 2021, 11:13 AM GMT+3 at the time of writing.
Credit
This issue was discovered and reported by GitHub team member @p0 (Pavel Avgustinov).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2021-1032
in any communication regarding this issue.