Coordinated Disclosure Timeline

Summary

Stash repository is vulnerable to an Actions command injection in e2e.yml.

Product

Stash

Tested Version

v0.29.0

Details

Actions command injection in e2e.yml (GHSL-2023-108)

The e2e.yml workflow is triggered on issue_comment [created] (i.e., when a when a comment inside an Issue or Pull Request is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.comment.body }} – the full contents of the comment), allowing an attacker to take over the GitHub Runner to run custom commands or alter the repository.

- id: set-matrix
  name: Generate test matrix
  run: |
    k8s=(v1.20.15 v1.22.15 v1.24.7 v1.26.0)

    IFS=' '
    read -ra COMMENT <<< "${{ github.event.comment.body }}"
    if [ ! -z ${COMMENT[1]} ]; then
      k8s=(${COMMENT[1]})
    fi

    matrix=()
    for x in ${k8s[@]}; do
      matrix+=( $( jq -n -c --arg x "$x" '{"k8s":$x}' ) )
    done

    # https://stackoverflow.com/a/63046305/244009
    function join { local IFS="$1"; shift; echo "$*"; }
    matrix=$(echo "{"include":[$(join , ${matrix[@]})]}")
    echo $matrix
    echo "::set-output name=matrix::$matrix"

Proof of Concept

  1. Comment the following in a Pull Request (satisfying jobs.build.if): /ok-to-test"; echo "hello"
  2. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-108 in any communication regarding this issue.