Coordinated Disclosure Timeline

Summary

Cromwell is vulnerable to an Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

Cromwell

Tested Version

86

Details

Actions expression injection in scalafmt-fix.yml (GHSL-2024-050)

The scalafmt-fix.yml workflow is triggered on issue_comment (i.e., when a comment in an Issue is created) and pull_request_target (i.e., when a Pull Request is created or updated). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Issue comment (${{ github.event.comment.body }} – the comment) and said Pull Request (${{ github.event.pull_request.head.ref }} – the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Determine Target Branch
  id: determine-branch
  run: |
    if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
      echo "::set-output name=target_branch::${{ inputs.branch_name }}"
    else
      echo "::set-output name=target_branch::${{ github.event.pull_request.head.ref }}"
    fi

- name: Check for ScalaFmt Comment
  id: check-comment
  run: |
    if [[ "${{ github.event_name }}" == "issue_comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
      echo "::set-output name=comment-triggered::true"
    else
      echo "::set-output name=comment-triggered::false"
    fi

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-050 in any communication regarding this issue.