GHSL-2024-145: Actions expression injection in Discord.js

Coordinated Disclosure Timeline

• 2024-07-02: Issue reported in the discord channel.
• 2024-07-06: Issue is confirmed to be fixed.

Summary

Discord.js is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

Discord.js

Tested Version

Latest commit at the time or reporting

Details

Code Injection in pr-triage.yml workflow (GHSL-2024-145)

The pr-triage.yml workflow in the chore/label-enhancements branch is triggered on pull_request_target (i.e., when a when a pull request is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write:

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.title }} – the title of the Pull Request) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Validate pull request title
  run: |
    TITLE="${{ github.event.pull_request.title }}"
    REGEX="^(revert: )?(feat|fix|docs|style|refactor|perf|test|workflow|build|ci|chore|types|wip)(\\(.+\\))?: .{1,72}$"

    echo "Title: \"$TITLE\""

    if [[ ! "$TITLE" =~ $REGEX ]]; then
      exit 1
    fi

This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

1. Open a Pull Request against the chore/label-enhancements branch with the following title: hello”; echo `whoami` #
2. Check the workflow runs for the new Actions run that will execute the command whoami and print the word runner.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-145 in any communication regarding this issue.