GHSL-2023-027: Command Injection in Cocos - CVE-2023-26493

Coordinated Disclosure Timeline

• 2023-02-13: Asked maintainer for a security contact
• 2023-02-13: Security contact provided
• 2023-02-14: Report sent to maintainer
• 2023-02-17: Maintainer acknowledged the report and disabled the vulnerable workflow
• 2023-02-21: Workflow deleted

Summary

Cocos Engine is vulnerable to a Command Injection in web-interface-check.yml.

Product

Engine for Cocos Creator

Tested Version

3.7.0

Details

Issue: Actions Command Injection in web-interface-check.yml (GHSL-2023-027)

The web-interface-check.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when the Pull Request is originated from a fork. The workflow starts with full write GitHub repository token since the defaults aren’t altered.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.head_ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository.

- name: merge HEAD branch
  working-directory: ./engine
  run: |
    git remote add HEAD_REPO https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git
    git fetch HEAD_REPO ${{ github.head_ref }}
    git merge remotes/HEAD_REPO/${{ github.head_ref }}

This issue was found with CodeQL using javascript’s Expression injection in Actions query.

Proof of Concept

1. Fork the cocos/cocos-engine repository, whose name we will refer as username/cocos-engine-fork.
2. Create a branch in username/cocos-engine-fork with the name develop;echo${IFS}"hello";#.
3. Push any change to the former branch.
4. Create a pull request from username/cocos-engine-fork:develop;echo${IFS}"hello";# to cocos/cocos-engine:develop.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

CVE

• CVE-2023-26493

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-027 in any communication regarding this issue.