Coordinated Disclosure Timeline
Summary
DuckDB is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.
Project
DuckDB
Tested Version
Details
Actions expression injection in CheckIssueForCodeFormatting.yml (GHSL-2024-055)
The CheckIssueForCodeFormatting.yml workflow is triggered on issues (i.e., when an Issue is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.
Taking the above into account, this workflow injects data controlled by said Issue (${{ github.event.issue.body }} – the body of the Issue) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.
- name: Check issue for code formatting
run: |
cat << 'EOF' >> issue-text.md
${{ github.event.issue.body }}"
EOF
if ! cat issue-text.md | python3 scripts/check-issue-for-code-formatting.py; then
gh issue comment ${{ github.event.issue.number }} --body-file .github/workflows/code-formatting-warning.md
fi
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Proof of Concept
- Open an Issue with the following body:
EOF whoami cat << 'EOF' >> issue-text.md foo - Check the workflow runs for the new Actions run that will execute the command
whoami.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-055 in any communication regarding this issue.