GHSL-2024-053: GitHub Actions expression injection in Hedy

Coordinated Disclosure Timeline

• 2024-03-27: Report sent to hello@hedy.org
• 2024-03-28: Fix commited.

Summary

Hedy is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.

Project

Hedy

Tested Version

af093f0

Details

Actions expression injection in update-javascript-on-main.yml (GHSL-2024-053)

The update-javascript-on-main.yml workflow is triggered on pull_request_target (i.e., when a Pull Request is created or updated). The workflow adopts write permissions for contents.

Taking the above into account, this workflow injects data coming from said Pull Request (${{ github.event.pull_request.head.ref }} – the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands.

- name: Determine branch name
  id: branch
  run: |
    if [[  "${{ github.event_name }}" == "pull_request"* ]]; then
      echo "Pull Request"
      echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT
      echo "repo=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_OUTPUT
    elif [[  "${{ github.event_name }}" == "push" ]]; then
      echo "Push Event"
      echo "branch=${{ github.ref }}" >> $GITHUB_OUTPUT
      echo "repo=${{ github.event.repository.full_name }}" >> $GITHUB_OUTPUT
    else
      echo "Unsupported event type!" >&2
      exit 1
    fi

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of concept

1. Fork the hedyorg/hedy repository, whose name we will refer as username/hedy-fork.
2. Create a branch in username/hedy-fork with the name main";echo${IFS}"hello";#.
3. Push any change to the former branch.
4. Create a pull request from username/hedy-fork:main";echo${IFS}"hello";# to hedyorg/hedy:main.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-053 in any communication regarding this issue.