Coordinated Disclosure Timeline

Summary

Stencil’s pack-and-comment.yml and tech-debt-burndown.yml workflows are vulnerable to Poisoned Pipeline Execution (PPE).

Project

Stencil

Tested Version

Latest commit at the time of reporting

Details

Execution of untrusted code in privileged workflow pack-and-comment.yml (GHSL-2024-168)

The pack-and-comment.yml workflow is triggered on pull_request_target event which is a privileged trigger which runs with access to secrets (in opossite to pull_request trigger).

The Workflow checks out untrusted code from the HEAD of the Pull Request since it can be controlled by anyone sending a pull request to Stencil:

- name: Checkout Code
  uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
  with:
    # the pull_request_target event will consider the HEAD of `main` to be the SHA to use.
    # attempt to use the SHA associated with a pull request and fallback to HEAD of `main`
    ref: ${{ github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number) || '' }}
    persist-credentials: false

Right after checking out the untrusted code, it runs it:

- name: Get Core Dependencies
  uses: ./.github/workflows/actions/get-core-dependencies

A malicious actor may send a Pull Request which changes the code of .github/workflows/actions/get-core-dependencies/action.yml to run malicious commands in the context of a high-privileged GITHUB_TOKEN context which may allow this actor to take over the repository.

Impact

This issue may lead to a repository takeover.

Resources

Execution of untrusted code in privileged workflow tech-debt-burndown (GHSL-2024-172)

The tech-debt-burndown.yml workflow is similarly vulnerable.

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-168 and GHSL-2024-172 in any communication regarding this issue.