GHSL-2023-022: Command Injection in an Apache Cloudstack CI workflow

Coordinated Disclosure Timeline

• 2023-02-06: Issue reported to the Apache security team.
• 2023-02-07: Apache security team confirms receipt.
• 2023-02-23: Apache security team updates us, that the report was missed, but finally re-delivered to the CloudStack team.
• 2023-02-27: The issue was resolved.
• 2023-02-28: An additional issue was noticed and reported.
• 2023-05-09: The issue was resolved.

Summary

Apache Cloudstack is vulnerable to a Command Injection in sonar-check.yml.

Product

Apache Cloudstack

Tested Version

• 62e342c

Details

Issue: Command Injection in Actions sonar-check.yml workflow (GHSL-2023-022)

The sonar-check.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when the Pull Request is originated from a fork. The workflow starts with full write GitHub repository token since the defaults aren’t altered.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.event.pull_request.head.ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN, SONAR_TOKEN) and altering the repository.

- name: Run Build and Tests with Coverage
   id: coverage
   env:
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     PR_ID: ${{ github.event.pull_request.number }}
   run: |
     git clone https://github.com/shapeblue/cloudstack-nonoss.git nonoss
     cd nonoss && bash -x install-non-oss.sh && cd ..
     mvn -P quality -Dsimulator -Dnoredist clean install org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=apache_cloudstack -Dsonar.pullrequest.key=$PR_ID -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.pullrequest.github.repository=apache/cloudstack -Dsonar.pullrequest.provider=GitHub -Dsonar.pullrequest.github.summary_comment=true

Proof of Concept

1. Fork the apache/cloudstack repository, whose name we will refer as username/cloudstack-fork.
2. Create a branch in username/cloudstack-fork with the name main;echo${IFS}"hello";#.
3. Push any change to the former branch.
4. Create a pull request from username/cloudstack-fork:main;echo${IFS}"hello";# to apache/cloudstack:main.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team members @jorgectf (Jorge Rosillo) and @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-022 in any communication regarding this issue.