Coordinated Disclosure Timeline
- 2024-10-22: Reported through MSRC.
- 2024-11-04: Vulnerable workflow is removed.
- 2024-11-27: MSRC issue is closed as resolved.
Summary
Secret exfiltration on GitHub’s Azure/api-management-developer-portal repository.
Project
Azure API Management Developer Portal
Tested Version
Latest commit at the time of reporting.
Details
Code Injection (GHSL-2024-312)
The workflow cleanUpOpenenedIssues.yaml is triggered manually by maintainers of the repo:
on:
workflow_dispatch:
However, the workflow loads untrusted data by loading fetching all opened issues in the repository and dumping the response into the issues.json file.
- name: Fetch open issues
id: issues
uses: octokit/request-action@v2.x
with:
route: GET /repos/Azure/api-management-developer-portal/issues?state=open
env:
GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }}
- name: Write issues to file
run: |
echo '${{ steps.issues.outputs.data }}' > issues.json
Because ${{ steps.issues.outputs.data }} contains untrusted data and is interpolated into a Bash script, a malicious actor could create an issue with a body or title of: "foo'`whoami`'bar" which when interpolated into the script will make to break out of the single quotes context, inject the whoami command and return to the single quote context.
By gaining Code execution in the runner, the attacker will be able to gain the permissions of the GITHUB_TOKEN and also those of the secrets.GITHUBACTIONS_TOKEN token, both of them unknown to the reporter.
Impact
This issue may lead arbitrary code execution and secrets exfiltration.
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-312 in any communication regarding this issue.