Coordinated Disclosure Timeline
- 2023-05-03: Report sent to maintainer
- 2023-05-06: Fix commit is pushed
Summary
The iluwatar/java-design-patterns
repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Product
Design patterns implemented in Java
Tested Version
Details
Actions command injection in maven-pr-builder.yml
(GHSL-2023-099
)
The maven-pr-builder.yml
workflow is triggered on pull_request_target
(i.e., when a Pull Request against the base repository is created or updated), which also covers the case when a Pull Request originates from a fork. The workflow starts with full write
GitHub repository token permissions since the defaults aren’t altered.
Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.head_ref }}
– the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN
, SONAR_TOKEN
) and altering the repository.
- name: Build with Maven and run SonarQube analysis
run: xvfb-run ./mvnw clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=iluwatar -Dsonar.projectKey=iluwatar_java-design-patterns -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
env:
# These two env variables are needed for sonar analysis
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
This issue was found by the Expression injection in Actions CodeQL query.
Proof of Concept
- Fork the iluwatar/java-design-patterns repository, whose name we will refer as
username/java-design-patterns-fork
. - Create a branch in
username/java-design-patterns-fork
with the namemaster;echo${IFS}"hello";#
. - Push any change to the former branch.
- Create a pull request from
username/java-design-patterns-fork:master;echo${IFS}"hello";#
toiluwatar/java-design-patterns:master
. - Check the workflow runs for the new Actions run that will execute the command
echo "hello"
.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2023-099
in any communication regarding this issue.