Coordinated Disclosure Timeline

Summary

Cilium push-chart-ci.yaml and build-images-base.yaml workflows are vulnerable to script injection.

Project

Cilium

Tested Version

Latest commit at the time of reporting.

Details

Issue 1: Code injection in push-chart-ci.yaml (GHSL-2024-274)

The push-chart-ci.yaml workflow uses a branch name from a fork in unsafe manner:

echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT

The branch name is user controlled and may contain double quotes.

Impact

An attacker may inject arbitrary bash commands. The workflow runs with read only permissions, however, it reads the QUAY_CHARTS_DEV_PASSWORD and QUAY_CHARTS_DEV_USERNAME secrets and therefore the attacker-controlled code will be able to dump the runner’s memory and exfiltrate these secrets.

Resources

Steps to reproduce

name: Hot Fix Image Release Build
on:
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "ok"

Issue 2: Code injection in build-images-base.yaml (GHSL-2024-275)

The build-images-base.yaml is a workflow that runs on workflow_call or pull_request_target events. The workflow runs on pull request only if anything is changed under images/runtime/** or images/builder/** paths.

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
    paths:
      - images/runtime/**
      - images/builder/**
  # This workflow can be reused so that renovate can execute this workflow_dispatch:
  # run from a different environment than 'release-base-images'. See
  # build-images-base-renovate.yaml
  workflow_call:
...

In case of pull request a malicious user controls the value of github.event.pull_request.head.ref that is set in the last step of the build-and-push job to the rev environment variable. Later the untrusted ref value is consumed by using script interpolation, which allows for bash script injection.

- name: Push changes into PR
  env:
    ref: ${{ github.event.pull_request.head.ref || github.ref }}
    repository:  ${{ github.event.pull_request.head.repo.full_name || github.repository }}
  if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
  run: |
    git diff HEAD^
    git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}

Impact

The workflow has access to QUAY_BASE_RELEASE_USERNAME, QUAY_BASE_RELEASE_PASSWORD, AUTO_COMMITTER_PEM and secrets.AUTO_COMMITTER_APP_ID secrets that can be stolen and runs with the following permissions that may be potentially used to compromise docker images from other runs:

permissions:
  # To be able to access the repository with `actions/checkout`
  contents: read
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
  id-token: write

Resources

Steps to reproduce

Credit

These issues were discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-274 or GHSL-2024-275 in any communication regarding these issues.