Coordinated Disclosure Timeline
- 2024-03-31: Report sent via email
- 2024-04-02: Vulnerability fixed with PR
Summary
Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Project
infinispan
Tested Version
Details
Actions Injection in pull_request_merge.yml
(GHSL-2024-048
)
The pull-request-merge.yml
workflow is triggered on pull_request_target
(i.e., when a pull request is merged). The workflow starts with full write
-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.
Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }}
– the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.
jobs:
updateJira:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract Jira Key
run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Proof of Concept
- Open a Pull Request with the following title: hello”); echo `whoami` #
- Check the workflow runs for the new Actions run that will execute the command
whoami
and print the wordrunner
.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-057
in any communication regarding this issue.