GHSL-2024-124_GHSL-2024-125: Actions expression injection and artifact poisoning in Quarkus

Coordinated Disclosure Timeline

• 2024-06-24: Reported to security@quarkus.io

Summary

Quarkus is vulnerable to Actions expression injection and Artifact Poisoning allowing an attacker to alter the repository and steal secrets.

Project

quarkus

Tested Version

Latest change set at time of writing: ed77ee257d543167d3593870d85acd468056fd7c

Details

Issue 1: Code Injection (GHSL-2024-124)

The preview.yml workflow is triggered on workflow_run when the “Quarkus Documentation CI” (doc-build.yml) workflow completes. An attacker can send a Pull Request that changes the doc-build.yml workflow so that any arbitrary content can be stored in the documentation artifact. This artifact is later downloaded by preview.yml:

      - name: Download PR Artifact
        uses: dawidd6/action-download-artifact@v3
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          workflow_conclusion: success
          name: documentation
          path: documentation-temp

And stored into the steps.pr.outputs.id step output variable.

      - name: Store PR id as variable
        id: pr
        run: |
          echo "id=$(<documentation-temp/pr-id.txt)" >> $GITHUB_OUTPUT

The steps.pr.outputs.id variable is later interpolated into a run script allowing an attacker to inject a bash command. Note, that the workflow is executed with elevated privileges and to take over the GitHub Runner to run custom commands and alter the repository.

      - name: Publishing to surge for preview
        id: deploy
        run: npx surge ./_site --domain https://quarkus-pr-main-${{ steps.pr.outputs.id }}-preview.surge.sh --token ${{ secrets.SURGE_TOKEN }}

This issue was found using CodeQL for GitHub Actions.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Issue 2: Artifact Poisoning (GHSL-2024-125)

Similarly, the preview.yml workflow downloads an attacker-controlled script artifact (docs/sync-web-site.sh) and executes it:

      - name: Sync documentation
        shell: bash
        run: |
          chmod 755 ./documentation-temp/docs/sync-web-site.sh
          ./documentation-temp/docs/sync-web-site.sh main ../../
          rm -rf documentation-temp

This issue was found using CodeQL for GitHub Actions.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Credit

These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-124 or GHSL-2024-125 in any communication regarding these issues.