Coordinated Disclosure Timeline
- 2024-02-19: The report was sent to security at Redash.
- 2024-03-22: Asked for update.
- 2024-03-26: Cleared the confusion with another report GHSL-2024-009.
- 2024-05-01: Asked for update.
- 2024-05-18: Redash confirmed they are going to work on it.
- 2024-09-20: Asked for update.
- 2025-01-08: Public pull request created.
- 2025-01-14: Redash reached over email describing changes that were made.
- 2025-01-14: Consulted Redash over email about the thread model of the report.
- 2025-01-24: Pinged Redash over email to note that neither the vulnerability has been fixed nor the pull request merged.
- 2025-01-31: Fixed in the pull request 7298.
Summary
Insecure usage of pull_request_target makes Redash repository vulnerable to an unauthorized repository modification or secrets exfiltration.
Project
Redash
Tested Version
320fddfd521bbe3b36e11820c55e3c6cf5f367eb changeset
Details
Unauthorized repository modification or secrets exfiltration in CI workflow (GHSL-2024-017)
CI.yml workflow is triggered on pull_request_target with a write repository token:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
It also checks out the files and runs them in the privileged context (referencing the frontend-unit-tests job just as an example, the same pattern occurs in other jobs too).
Impact
Running untrusted code with a privileged repository token and access to secrets may lead to an unauthorized repository modification or exfiltration of the secrets. This also allows for exfiltration of the secrets.DOCKER_PASS.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-017 in any communication regarding this issue.