GHSL-2023-106: Actions command injection in a new issue workflow of textualize/rich

Coordinated Disclosure Timeline

• 2023-05-08: Report sent to security@tidelift.com
• 2023-05-08: Report is acknowledged
• 2023-05-09: Fix commit is pushed

Summary

The textualize/rich repository is vulnerable to a command injection in Actions.

Product

Rich

Tested Version

v13.3.5

Details

Actions command injection in newissue.yml (GHSL-2023-106)

The newissue.yml workflow is triggered on issues [created] (i.e., when an Issue is created). Therefore, this workflow runs the following step with data controlled by said Issue (${{ github.event.issue.title }} – the title of the Issue), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets and altering the repository).

- name: Run Suggest
  run: faqtory suggest "${{ github.event.issue.title }}" > suggest.md

This issue was found by the Expression injection in Actions CodeQL query.

Proof of Concept

1. Open an Issue against textualize/rich with the title "; echo "hello";#.
2. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and alteration of the repository.

Resources

• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-106 in any communication regarding this issue.