Coordinated Disclosure Timeline

Summary

starrocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

starrocks

Tested Version

2.5.20

Details

Issue 1: Actions Injection in pr-checker.yml (GHSL-2024-058)

The pr-checker.yml workflow is triggered on pull_request_target (i.e., when a pull request is opened). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }} – the title of the Pull Request and ${{ github.head_ref }} – the branch name of the incoming Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

Instance 1

steps:
      - run: echo "Normal PR."

      - name: backport assign
        id: backport_assign
        if: startsWith(github.head_ref, 'mergify/bp/') && github.event.action == 'opened'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.number }}
          REPO: ${{ github.repository }}
        run: |
          ORI_PR=$(echo "${{ github.event.pull_request.title }}" | grep -oP '\(backport #\K\d+' | tail -n 1)    <---- use of pull request title
          author=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login')
          if [[ ! "${author}" =~ "mergify" ]]; then
            gh pr edit ${PR_NUMBER} -R ${REPO} --add-assignee ${author} || true
            echo "ORI_PR=${ORI_PR}" >> $GITHUB_OUTPUT
          fi

Instance 2

      - name: check backport pr's title
        if: github.base_ref != 'main' && contains(toJson(github.event.pull_request.body), '[x] This is a backport pr')
        run: |
          PR_TITLE=$(echo "${{ github.event.pull_request.title }}")                                  <----- use of pull request title
          count=$(echo $PR_TITLE | grep -E '\(backport #[0-9]+)$' | wc -l)
          if [[ $count -le 0 ]]; then
            echo "::error::Backport PR title is not valid. It should end with '(backport #[0-9]+)'"
            exit 1
          fi

Instance 3

- name: update body
        if: always() && github.base_ref != 'main' && (github.event.action == 'opened' || github.event.action == 'reopened')
        env:
          GH_TOKEN: ${{ secrets.PAT }}
        run: |
          gh pr view ${PR_NUMBER} -R ${REPO} --json body -q .body > body.txt
          ori_body=$(cat body.txt)

          if [[ "${{ github.head_ref }}" == "mergify/bp/"* && "${BACKPORT_SOURCE_PR}" != "" ]]; then            <--- use of head_ref
            gh pr view ${BACKPORT_SOURCE_PR} -R ${REPO} --json body -q .body > source_body.txt
            sed -ie '/Bugfix cherry-pick branch check/,$d' source_body.txt
            cat body.txt source_body.txt > tmp_body.txt
            mv tmp_body.txt body.txt
          fi

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

Issue 2: Actions Injection in ci-merged.yml (GHSL-2024-059)

The ci-merged.yml workflow is triggered on pull_request_target, when a pull request is merged. The workflow starts with partial write-permissions since the GitHub repository token has some permissions set to write.

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }} – the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and have limited actions over the repository.

   - name: add merge label
        if: >
          always() && !contains(github.event.pull_request.labels.*.name, 'sync') &&
          contains(github.event.pull_request.title, '(backport #')
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          LABEL="${GITHUB_BASE_REF##*-}-merged"
          ORI_PR=$(echo "${{ github.event.pull_request.title }}" | grep -oP '\(backport #\K\d+' | tail -n 1)       <------ use of pull request title
          gh pr edit ${ORI_PR} -R ${GITHUB_REPOSITORY} --add-label "${LABEL}"

Impact

This issue may lead to stealing workflow secrets and modification of the issues, pull requests, etc.

Resources

Credit

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-058 or GHSL-2024-059 in any communication regarding these issues.