GHSL-2023-110: Actions command injection in the CI workflow of winglang/wing

Coordinated Disclosure Timeline

• 2023-05-09: Opened https://github.com/winglang/wing/issues/2453
• 2023-05-21: Fix commit is pushed

Summary

The winglang/wing repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.

Product

Wing Language

Tested Version

Wing 0.15.28

Details

Actions command injection in wingsdk-mutation.yml (GHSL-2023-110)

The wingsdk-mutation.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when a Pull Request originates from a fork. The workflow starts with contents: write GitHub repository token permissions.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.event.pull_request.head.ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner to run custom commands potentially stealing secrets or altering the repository.

- name: Push changes
  if: steps.token-check.outputs.HAS_TOKEN == 'true' && steps.self_mutation.outputs.self_mutation_happened
  run: |-
    git config user.name "monada-bot[bot]"
    git config user.email "monabot@monada.co"
    git commit -s -m "chore: self mutation"
    git push origin HEAD:${{ github.event.pull_request.head.ref }}

This issue was found by the Expression injection in Actions CodeQL query.

Proof of Concept

1. Fork the winglang/wing repository, whose name we will refer as username/wing-fork.
2. Create a branch in username/wing-fork with the name foo;echo${IFS}"hello";#.
3. Push a change to the former branch satisfying self_mutation.
4. Create a pull request from username/wing-fork:foo;echo${IFS}"hello";# to winglang/wing:main.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-110 in any communication regarding this issue.