Coordinated Disclosure Timeline

Summary

KubeBlocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

KubeBlocks

Tested Version

v0.8.2

Details

Issue 1: Actions expression injection in pull-request-check.yml (GHSL-2024-041)

The pull-request-check.yml workflow is triggered on pull_request_target (i.e., when a pull request is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }} – the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: check issue link
  run: |
    bash ${{ github.workspace }}/.github/utils/issue_link.sh \
      ...
      "${{ github.event.pull_request.title }}"

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

  1. Open a Pull Request with the following title: feat: $(sleep 60)
  2. Check the workflow runs for the new Actions run that will execute the command sleep 60.

Resources

Issue 2: Actions expression injection in cicd-pull-request.yml (GHSL-2024-042)

The cicd-pull-request.yml workflow is triggered on pull_request_review (i.e., when a Pull Request review is submitted). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by a Pull Request (${{ github.event.pull_request.head.ref }} – the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Get trigger mode
  id: get_trigger_mode
  run: |
    if [[ "${{ github.event.pull_request.head.ref }}" != "main" ]]; then
        git checkout -b ${{ github.event.pull_request.head.ref }} --track origin/${{ github.event.pull_request.head.ref }}
    fi

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

  1. Fork apecloud/kubeblocks.
  2. Create the following branch: $(whoami)
  3. Open a Pull Request from the fork against apecloud/kubeblocks.
  4. With a different account (no privileges required), submit an approving review.
  5. Check the workflow runs for the new Actions run that will execute the command whoami.

Resources

Credit

These issues were discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-041 or GHSL-2024-042 in any communication regarding these issues.