GHSL-2024-037: GitHub Actions expression injection in BioDrop

Coordinated Disclosure Timeline

• 2024-03-25: Opened a discussion asking for a security contact.
• 2024-03-27: Report sent via Private Vulnerability Reporting.
• 2024-06-10: Repository is archived.

Summary

BioDrop is vulnerable to Actions expression injection allowing an attacker to manipulate repository issues.

Project

BioDrop

Tested Version

v2.99.18

Details

Actions expression injection in check-author-issues.yml (GHSL-2024-037)

The check-author-issues.yml workflow is triggered on issues (i.e., when an issue is created or modified). The workflow adopts write permissions for issues.

Taking the above into account, this workflow injects data coming from said issue (${{ github.event.issue.body }} – the full contents of the issue) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands.

- name: check author issue assignment choice
  run: |
    CHOICE=$(echo "${{ github.event.issue.body }}" | grep -A 3 "Do you want to work on this issue?\(\s*\)" | ( grep -oiE "yes" || echo "No" ))
    echo "CHOICE=$CHOICE" >> $GITHUB_ENV

- name: Update issue if author has assigned issues
  if: steps.check-assignee.outputs.has_issues == 'true'
  run: |
    ISSUE_AUTHOR=${{ github.event.issue.user.login }}
    ISSUE_NUMBER=${{ github.event.issue.number }}
    ISSUE_URL="https://github.com/$GITHUB_REPOSITORY/issues/$ISSUE_NUMBER"
    ASSIGNED_ISSUES_URL="https://github.com/$GITHUB_REPOSITORY/issues?q=is%3Aopen+is%3Aissue+assignee%3A$ISSUE_AUTHOR"
    UPDATE_TEXT="ℹ️ **$ISSUE_AUTHOR** has some opened assigned issues: 🔧[View assigned issues]($ASSIGNED_ISSUES_URL)"
    OLD_BODY="${{ github.event.issue.body }}"
    BODY=$(jq --arg old_body "$OLD_BODY" --arg update_text "$UPDATE_TEXT" -n '{ body: ($old_body + "\n\n" + $update_text) }')
    curl -L \
    -X PATCH \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
    -H "X-GitHub-Api-Version: 2022-11-28" \
    https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$ISSUE_NUMBER \
    -s -d "$BODY"

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to arbitrary issue alteration.

Proof of concept

1. Open an issue with the following content: $(sleep 60)
2. Check the workflow runs for the new Actions run that will execute the command sleep 60.

Resources

• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-037 in any communication regarding this issue.