Coordinated Disclosure Timeline
- 2024-03-25: Report sent to kubeblocks@apecloud.com
- 2024-03-26: Fix is committed.
Summary
KubeBlocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Project
KubeBlocks
Tested Version
Details
Issue 1: Actions expression injection in pull-request-check.yml
(GHSL-2024-041
)
The pull-request-check.yml
workflow is triggered on pull_request_target
(i.e., when a pull request is created). The workflow starts with full write
-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.
Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }}
– the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.
- name: check issue link
run: |
bash ${{ github.workspace }}/.github/utils/issue_link.sh \
...
"${{ github.event.pull_request.title }}"
This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Proof of Concept
- Open a Pull Request with the following title:
feat: $(sleep 60)
- Check the workflow runs for the new Actions run that will execute the command
sleep 60
.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Issue 2: Actions expression injection in cicd-pull-request.yml
(GHSL-2024-042
)
The cicd-pull-request.yml
workflow is triggered on pull_request_review
(i.e., when a Pull Request review is submitted). The workflow starts with full write
-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.
Taking the above into account, this workflow injects data controlled by a Pull Request (${{ github.event.pull_request.head.ref }}
– the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.
- name: Get trigger mode
id: get_trigger_mode
run: |
if [[ "${{ github.event.pull_request.head.ref }}" != "main" ]]; then
git checkout -b ${{ github.event.pull_request.head.ref }} --track origin/${{ github.event.pull_request.head.ref }}
fi
This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Proof of Concept
- Fork
apecloud/kubeblocks
. - Create the following branch:
$(whoami)
- Open a Pull Request from the fork against
apecloud/kubeblocks
. - With a different account (no privileges required), submit an approving review.
- Check the workflow runs for the new Actions run that will execute the command
whoami
.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
These issues were discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-041
or GHSL-2024-042
in any communication regarding these issues.