GHSL-2023-109: GitHub Actions command injection in a TDesign Vue Next workflow

Coordinated Disclosure Timeline

2023-05-09: Opened issue
2023-05-12: Opened security advisory
2023-07-17: Fix PR is merged

Summary

TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.

Product

TDesign Vue Next

Tested Version

🌈 1.3.2

Details

Actions command injection in `auto-release.yml` (`GHSL-2023-109`)

The auto-release.yml workflow is triggered on issue_comment (i.e., when a when a comment inside an Issue or Pull Request is created or updated). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.comment.body }} – the full contents of the comment), allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Commit and push if needed
  run: |
    txt=$(cat CHANGELOG.md)
    body='${{ github.event.comment.body }}'
    echo "${txt%%##*}${body}${txt##*---}" > CHANGELOG.md
    git add .
    git config --local user.email "github-actions[bot]@users.noreply.github.com"
    git config --local user.name "github-actions[bot]"
    git commit -m "chore: changelog's changes"
    git push
    echo "💾 pushed changelog's changes"

Proof of Concept

Open a Pull Request against tencent/tdesign-vue-next.
Comment the following in the created PR: ## 🌈 '; echo "hello"
Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-109 in any communication regarding this issue.