GHSL-2024-044: GitHub Actions expression injection in Simple Icons

Coordinated Disclosure Timeline

2024-03-25: Opened an Issue asking for a security contact.
2024-03-25: Private Vulnerability Reporting is enabled on the repository.
2024-03-25: Opened a report via Private Vulnerability Reporting.
2024-03-25: Fix is committed.

Summary

Simple Icons is vulnerable to an Actions expression injection, allowing an attacker to take over the repository and steal secrets.

Project

Simple Icons

Tested Version

v11.9.0

Details

Actions expression injection in `autoclose-issues.yml` (`GHSL-2024-044`)

The autoclose-issues.yml workflow is triggered on issue (i.e., when an Issue is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Issue (${{ github.event.issue.title }} – the title of the Issue) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- id: match-java
  name: Match Java
  run: |
    if [[ "${{ github.event.issue.title }}" =~ (^|[[:space:]])([jJ][aA][vV][aA])([[:space:]]|$) ]]; then
        echo "match=true" >> $GITHUB_OUTPUT
    fi

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

Open an Issue with the following title: $(whoami)
Check the workflow runs for the new Actions run that will execute the command whoami.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-044 in any communication regarding this issue.