Coordinated Disclosure Timeline

Summary

Element+ is vulnerable to Poisoned Pipeline Execution (PPE) which may allow an attacker to gain write acces to the repository and the CROWDIN_TOKEN token.

Project

Element+

Tested Version

Latest commit at the time of reporting

Details

Poisoned Pipeline Execution in publish-docs-deploy.yml (GHSL-2024-159)

The publish-docs-deploy.yml workflow gets triggered when the Publish to NPM registry workflow finished. The workflow checks out the HEAD SHA of the event triggering the workflow run:

- name: Checkout
  uses: actions/checkout@v4
  with:
    ref: ${{ github.event.workflow_run.head_sha }}
    persist-credentials: false

After checking out the code, the workflow runs a number of steps using pnpm such as:

- name: Init Crowdin token
  run: pnpm run docs:crowdin-credentials
  env:
    CROWDIN_TOKEN: ${{secrets.CROWDIN_TOKEN}}

An attacker would be able to submit a Pull Request with two changes:

  1. Modify .github/workflows/publish-npm.yml to: ```yml name: Publish to NPM registry on: pull_request: jobs: test: runs-on: ubuntu-latest steps:
    • run: echo “Should run on release” ```
  2. Modify package.json line for “docs:crowdin-credentials” script to include arbitrary commands: 
    ...
  "scripts": {
 ...
 "docs:crowdin-credentials": "echo PWNED",
 ...
  },
...

This Pull Request will trigger the execution of vulnerable workflow and will run arbitrary commands in the context of a write-all privileged workflow.

Impact

This issue may lead to gain full write access to the elements+ repository and steal secrets.

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-159 in any communication regarding this issue.