GHSL-2024-052: Actions expression injection in an Actions workflow of AsyncAPI

Coordinated Disclosure Timeline

• 2024-03-27: Report sent to info@asyncapi.io.
• 2024-08-05: No response from the maintainers. Decision to publish as per our Disclosure Policy.

Summary

An AsyncAPI organization-wide workflow is vulnerable to Actions expression injection allowing an attacker to take over the repositories and steal secrets.

Project

AsyncAPI

Tested Version

703ea72

Details

Actions expression injection in notify-tsc-members-mention (GHSL-2024-052)

The notify-tsc-members-mention workflow is triggered on several triggers such as issue_comment, discussion_comment, issues,pull_request_target and discussion. The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by all of the former triggers into a script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

with:
  script: |
    const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
    sendEmail('${{github.event.issue.html_url}}', '${{github.event.issue.title}}');

with:
  script: |
    const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
    sendEmail('${{github.event.pull_request.html_url}}', '${{github.event.pull_request.title}}');

with:
  script: |
    const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
    sendEmail('${{github.event.discussion.html_url}}', '${{github.event.discussion.title}}');

with:
  script: |
    const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
    sendEmail('${{github.event.comment.html_url}}', '${{github.event.issue.title}}');

with:
  script: |
    const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
    sendEmail('${{github.event.comment.html_url}}', '${{github.event.discussion.title}}');

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-052 in any communication regarding this issue.