skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
December 8, 2021

GHSL-2021-1032: Unauthorized repository modification or secrets exfiltration from a Pull Request in Solana GitHub workflow

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Explorer GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

Solana

Tested Version

Commit 968aafd (2021-10-25).

Details

Issue 1: Unauthorized modification of the base repository or secrets exfiltration from a Pull Request (GHSL-2021-1032)

The pull_request_target used in Explorer GitHub workflow explicitly checks out potentially untrusted code from a pull request and runs it.

on:
...
  pull_request_target:
    branches:
     - master
    paths:
      - 'explorer/**'
...
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
...
      - run: npm i -g npm@7
      - run: npm ci
      - run: npm run format
      - run: npm run build
      - run: npm run test

By explicitly checking out and running a build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets. See Preventing pwn requests for more information.

A malicious user could create a pull request with a modified explorer/package.json command.

Impact

The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

While the workflow file looks like it’s under heavy development, please note that the window of opportunity for possible attacks was open between Oct 19, 2021, 9:51 PM GMT+3 - Oct 21, 2021, 10:10 AM GMT+3, Oct 22, 2021, 11:42 PM GMT+3 - Oct 22, 2021, 11:52 PM GMT+3 and Oct 23, 2021, 11:09 AM GMT+3 - Oct 25, 2021, 11:13 AM GMT+3 at the time of writing.

Credit

This issue was discovered and reported by GitHub team member @p0 (Pavel Avgustinov).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1032 in any communication regarding this issue.