Coordinated Disclosure Timeline

Summary

Ant-design-web3 is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Project

Ant-design-web3

Tested Version

Latest changeset at the time of reporting.

Details

Code injection in preview-deploy.yml (GHSL-2024-281)

The preview-deploy.yml workflow is triggered on workflow_run when the “Preview Build” workflow triggered on pull_request completes. An attacker can send a Pull Request that changes the preview-build.yml workflow so that any arbitrary content can be stored in the pr-id.txt artifact. This artifact is later downloaded by preview-deploy.yml:

      - name: download pr artifact
        uses: dawidd6/action-download-artifact@v2
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          run_id: ${{ github.event.workflow_run.id }}
          name: pr

Then, it stores its contents into the steps.pr.outputs.id step output variable.

      - name: save PR id
        id: pr
        run: echo "id=$(<pr-id.txt)" >> $GITHUB_OUTPUT

Finally, the variable is interpolated into a run step:

      - name: upload surge service
        id: deploy
        run: |
          export DEPLOY_DOMAIN=https://preview-${{ steps.pr.outputs.id }}-ant-design-web3.surge.sh
          npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}

The interpolation allows for injection of arbitrary commands in the bash script.

Impact

This issue may lead to stealing workflow secret SURGE_TOKEN and approve other pull requests because it runs with the following write permissions:

GITHUB_TOKEN Permissions
  Actions: read
  Issues: write
  Metadata: read
  PullRequests: write

Resources

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-281 in any communication regarding this issue.