Coordinated Disclosure Timeline
- 2023-07-20: Vulnerability report sent to security@home-assistant.io
- 2023-08-23: Follow up email sent to confirm receipt of report
- 2023-08-28: Follow up public issue to confirm receipt of report
- 2023-08-28: Vulnerability report sent through GitHub PVR (GHSA-jff5-5j3g-vhqc)
- 2023-09-05: Fix PR merged
Summary
The home-assistant/actions
helpers/version
workflow is vulnerable to a command injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Product
Home Assistant
Tested Version
Details
Actions expression injection in helpers/version/action.yml
(GHSL-2023-179
)
The helpers/version
workflow is using the raw github.head_ref
value inside the publish
step:
- shell: bash
id: publish
run: |
...
elif [[ "${{ inputs.type }}" =~ (plugin|supervisor) ]]; then
if [[ ! -z "${{ github.head_ref }}" ]]; then
...
In the event of a repository using home-assistant/actions/helpers/version
in a pull_request_target
-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.
name: Example
on: pull_request_target
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Get version
id: version
uses: home-assistant/actions/helpers/version@v1.0.0
Impact
This issue may lead to stealing workflow secrets.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team members @jorgectf (Jorge) and @p- (Peter Stöckli).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2023-179
in any communication regarding this issue.