GHSL-2023-179: Command injection in Home Assistant GitHub Actions workflows

Coordinated Disclosure Timeline

• 2023-07-20: Vulnerability report sent to security@home-assistant.io
• 2023-08-23: Follow up email sent to confirm receipt of report
• 2023-08-28: Follow up public issue to confirm receipt of report
• 2023-08-28: Vulnerability report sent through GitHub PVR (GHSA-jff5-5j3g-vhqc)
• 2023-09-05: Fix PR merged

Summary

The home-assistant/actions helpers/version workflow is vulnerable to a command injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.

Product

Home Assistant

Tested Version

de031f3

Details

Actions expression injection in helpers/version/action.yml (GHSL-2023-179)

The helpers/version workflow is using the raw github.head_ref value inside the publish step:

- shell: bash
   id: publish
   run: |
     ...
     elif [[ "${{ inputs.type }}" =~ (plugin|supervisor) ]]; then
       if [[ ! -z "${{ github.head_ref }}" ]]; then
     ...

In the event of a repository using home-assistant/actions/helpers/version in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.

name: Example

on: pull_request_target

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - name: Get version
        id: version
        uses: home-assistant/actions/helpers/version@v1.0.0

Impact

This issue may lead to stealing workflow secrets.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team members @jorgectf (Jorge) and @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-179 in any communication regarding this issue.