GHSL-2024-126: Potential account takeover in Kong through Actions expression injection

Coordinated Disclosure Timeline

• 2024-06-24: Report sent to security@konghq.com
• 2024-06-02: Kong’s security team claims that only Kong’s employees can trigger the action on a protected branch, so the attack surface is significantly smaller.
• 2024-06-03: Security Lab reiterates the importance of fixing the underlying vulnerability.
• 2024-09-25: Publishing as per our disclosure policy.

Summary

Kong is vulnerable to Actions expression injection allowing an attacker to takeover the repository and steal secrets.

Project

Kong

Tested Version

v3.7.0

Details

Code Injection in release-and-tests-fail-bot.yml (GHSL-2024-126)

The release-and-tests-fail-bot.yml workflow is triggered on workflow_run (i.e., when an attacker sends a specially crafted Pull Request). The workflow starts with read-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read but it has access to secrets.

Taking the above into account, this workflow interpolates data controlled by said Pull Request (${{ github.event.workflow_run.head_branch }} – the name of the branch) into a Javascript action step’s script, allowing an attacker to takeover the GitHub Runner to run custom commands and alter the repository.

    - name: Generate Slack Payload
      id: generate-payload
      env:
        SLACK_CHANNEL: gateway-notifications
        SLACK_MAPPING: "${{ steps.fetch_mapping.outputs.result }}"
      uses: actions/github-script@v7
      with:
        script: |
          const pr_html_url = "${{ steps.retrieve_pr_info.outputs.pr_html_url }}";
          const workflow_name = "${{ github.event.workflow_run.name }}";
          const repo_name = "${{ github.event.workflow_run.repository.full_name }}";
          const branch_name = "${{ github.event.workflow_run.head_branch }}";
...

Impact

This issue may lead to stealing workflow secrets (eg: secrets.PAT and secrets.SLACK_GATEWAY_NOTIFICATIONS_WEBHOOK).

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

  Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-126 in any communication regarding this issue.