Coordinated Disclosure Timeline

Summary

Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

infinispan

Tested Version

15.0.0.Final

Details

Actions Injection in pull_request_merge.yml (GHSL-2024-048)

The pull-request-merge.yml workflow is triggered on pull_request_target (i.e., when a pull request is merged). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }} – the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

jobs:
  updateJira:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Extract Jira Key
        run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

  1. Open a Pull Request with the following title: hello”); echo `whoami` #
  2. Check the workflow runs for the new Actions run that will execute the command whoami and print the word runner.

Resources

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-057 in any communication regarding this issue.