Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-313 #135

Open
JarLob opened this issue Mar 2, 2021 · 2 comments
Open

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-313 #135

JarLob opened this issue Mar 2, 2021 · 2 comments

Comments

@JarLob
Copy link

JarLob commented Mar 2, 2021
edited
Loading

We have been unsuccessfully trying to contact the repository owners since 2020-11-30.
The issue affects master, Janglee123-patch-2, Janglee123-patch-1 and revert-83-master branches.

Summary

The auto_merge.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Tested Version

The latest changeset a43fb3c to the date.

Details

Issue: Untrusted code is explicitly checked out and run on a Pull Request from a fork

pull_request_target was introduced to allow triggered workflows to comment on PRs, label them, assign people, etc.. In order to make it possible the triggered action runner has read/write token for the base repository and the access to secrets. In order to prevent untrusted code from execution it runs in a context of the base repository.

By explicitly checking out and running build script from a fork the untrusted code is running in an environment that is able to push to the base repository and to access secrets.

on:
  pull_request_target:
    paths:
    - 'public/directory/**.json'
...
      uses: actions/checkout@v2
      with:
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
    
    - name: Yarn install
      uses: actions/setup-node@v1
    - run: yarn install

Impact

The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

Remediation

Use pull_request trigger that doesn't have read/write repository token and no access to secrets. If at some point a write access is needed split the workflow in two and use workflow_run.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-313 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.
@welcome
Copy link

welcome bot commented Mar 2, 2021

Thanks for opening your first issue!
Please follow the issue template to help us help you 👍🎉😄
If you have screenshots or a gif to share demonstrating the issue, that's really helpful! 📸
Do join our discord channel for some brainstorming discussions.

@Janglee123
Copy link
Member

Disabled the workflow for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JarLob @Janglee123