Coordinated Disclosure Timeline
- 2024-06-24: Report sent to afc163@gmail.com
- 2024-07-19: Reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-07-23: Fix PRs (#50019 and #50001 ) merged.
Summary
Ant-Design is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.
Project
ant-design
Tested Version
Latest change set at the time of reporting.
Details
Issue 1: Code injection in visual-regression-diff-finish.yml (GHSL-2024-121)
The visual-regression-diff-finish.yml workflow is triggered on workflow_run when the “👀 Visual Regression Diff Build” workflow completes. An attacker can send a Pull Request that changes the visual-regression-diff-build.yml workflow so that any arbitrary content can be stored in the visual-regression-pr-id.txt artifact. This artifact is later downloaded by visual-regression-diff-finish.yml:
# We need get persist-index first
- name: download image snapshot artifact
uses: dawidd6/action-download-artifact@v6
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
run_id: ${{ github.event.workflow_run.id }}
name: visual-regression-diff-ref
path: ./tmp
And stored into the steps.pr.outputs.id step output variable.
# Save PR id to output
- name: save PR id
id: pr
run: echo "id=$(<tmp/visual-regression-pr-id.txt)" >> $GITHUB_OUTPUT
The steps.pr.outputs.id variable is later interpolated into a JS github-script allowing an attacker to change the content of the script to be executed with elevated privileges and to take over the GitHub Runner to run custom commands and alter the repository.
- name: Reset Commit Status
uses: actions/github-script@v7
if: ${{ steps.report.outcome == 'success' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const prResponse = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: ${{ steps.pr.outputs.id }},
});
...
This issue was found using CodeQL for GitHub Actions.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Issue 2: Code injection in preview-deploy.yml (GHSL-2024-122)
Similarly, preview-deploy.yml downloads an attacker-controlled artifact:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v6
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
run_id: ${{ github.event.workflow_run.id }}
name: pr
Then, it stores its contents into the steps.pr.outputs.id step output variable.
- name: save PR id
id: pr
run: echo "id=$(<pr-id.txt)" >> $GITHUB_OUTPUT
Finally, the variable is interpolated into a run step allowing an attacker to run arbitrary code with elevated privileges:
- name: upload surge service
id: deploy
continue-on-error: true
run: |
export DEPLOY_DOMAIN=https://preview-${{ steps.pr.outputs.id }}-ant-design.surge.sh
npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}
This issue was found using CodeQL for GitHub Actions.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Resources
- https://github.com/ant-design/ant-design/security/advisories/GHSA-r4cf-rp2g-2pxj#advisory-comment-106561
Credit
These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-121 or GHSL-2024-122 in any communication regarding these issues.