GHSL-2023-100: Command Injection in a GitHub Actions workflow of Apache Ignite

Coordinated Disclosure Timeline

• 2023-05-04: Report sent to security@apache.com
• 2023-05-04: Report is acknowledged
• 2023-08-02: Deadline expires
• 2023-09-22: Temporary fix is pushed

Summary

The apache/ignite repository is vulnerable to a command injection in Actions, allowing an attacker to leak secrets.

Product

Apache Ignite

Tested Version

2.15.0

Details

Actions command injection in sonar-pr-from-fork.yml (GHSL-2023-100)

The sonar-pr-from-fork.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when a Pull Request originates from a fork.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.head_ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN, SONARCLOUD_TOKEN).

- name: Sonar Analyze Upload
  run: >
    ./mvnw org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
    -P all-java,lgpl,examples,skip-docs
    -Dsonar.pullrequest.branch=${{ github.head_ref }}
    -Dsonar.pullrequest.base=${{ github.base_ref }}
    -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
    -Dsonar.pullrequest.github.repository=apache/ignite
    -Dsonar.pullrequest.provider=GitHub
    -Dsonar.pullrequest.github.summary_comment=true
    -Dsonar.projectKey=apache_ignite
    -Dsonar.login=${SONARCLOUD_TOKEN}
    -B -V
  env:
    MAVEN_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    SONAR_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    JAVA_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}

Proof of Concept

1. Fork the apache/ignite repository, whose name we will refer as username/ignite-fork.
2. Create a branch in username/ignite-fork with the name master;echo${IFS}"hello";#.
3. Push any change to the former branch.
4. Create a pull request from username/ignite-fork:master;echo${IFS}"hello";# to apache/ignite:master.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-100 in any communication regarding this issue.