Coordinated Disclosure Timeline

Summary

TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.

Product

TDesign Vue Next

Tested Version

🌈 1.3.2

Details

Actions command injection in auto-release.yml (GHSL-2023-109)

The auto-release.yml workflow is triggered on issue_comment (i.e., when a when a comment inside an Issue or Pull Request is created or updated). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.comment.body }} – the full contents of the comment), allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Commit and push if needed
  run: |
    txt=$(cat CHANGELOG.md)
    body='${{ github.event.comment.body }}'
    echo "${txt%%##*}${body}${txt##*---}" > CHANGELOG.md
    git add .
    git config --local user.email "github-actions[bot]@users.noreply.github.com"
    git config --local user.name "github-actions[bot]"
    git commit -m "chore: changelog's changes"
    git push
    echo "💾 pushed changelog's changes"

Proof of Concept

  1. Open a Pull Request against tencent/tdesign-vue-next.
  2. Comment the following in the created PR: ## 🌈 '; echo "hello"
  3. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-109 in any communication regarding this issue.