Coordinated Disclosure Timeline
- 2024-09-06: Issue reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-10-16: Asked for updates.
- 2024-10-30: Asked for updates.
- 2024-11-20: Asked for updates and proposed fix and hardening recommendations.
- 2024-11-20: Issue fixed in commit a6ae373.
Summary
Multiple Code Injection vulnerabilities exist in the check_properties.yml workflow, allowing an external user to gain write permissions to the repository.
Project
Stirling PDF
Tested Version
Latest commit at the time of reporting.
Details
Issue 1: Code Injection in check_properties.yml#66 (GHSL-2024-205)
The Check Properties Files workflow gets triggered on the privileged pull_request_target event and runs with both, contents and pull_requests write permissions which may allow a malicious actor to modify any files in the repository.
In the context described above:
- The workflow checkouts the attacker-controlled pull request:
- name: Checkout PR branch
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
path: pr-branch
fetch-depth: 0
- Calculates the modified files by such PR.
- name: Fetch PR changed files
id: fetch-pr-changes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Fetching PR changed files..."
cd pr-branch
gh repo set-default ${{ github.repository }}
gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" > ../changed_files.txt
cd ..
echo $(cat changed_files.txt)
BRANCH_PATH="pr-branch"
echo "BRANCH_PATH=${BRANCH_PATH}" >> $GITHUB_ENV
CHANGED_FILES=$(cat changed_files.txt | tr '\n' ' ')
echo "CHANGED_FILES=${CHANGED_FILES}" >> $GITHUB_ENV
- The list of the changed files are stored in
CHANGED_FILESenvironment variable and later interpolated in a bash script allowing an attacker to modify the code of the bash script and run arbitrary code.
- name: Determine reference file
id: determine-file
run: |
echo "Determining reference file..."
if echo "${{ env.CHANGED_FILES }}" | grep -q 'src/main/resources/messages_en_GB.properties'; then
echo "REFERENCE_FILE=pr-branch/src/main/resources/messages_en_GB.properties" >> $GITHUB_ENV
Since the Workflow only triggers when a properties file is changed, the malicious PR can place its payload into the properties file name (eg: src/main/resources/messages_curl
Impact
This issue may allow a malicious actor to modify any files in the repository.
Issue 2: Code Injection in check_properties.yml#79 (GHSL-2024-206)
Likewise, line 79 of the same Workflow contains a similar injection.
- name: Run Python script to check files
id: run-check
run: |
python main-branch/.github/scripts/check_language_properties.py --reference-file ${{ env.REFERENCE_FILE }} --branch ${{ env.BRANCH_PATH }} --files ${{ env.CHANGED_FILES }} > failure.txt || true
Impact
This issue may allow a malicious actor to modify any files in the repository.
Credit
These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-205 or GHSL-2024-206 in any communication regarding these issues.