Summary

Gradio contains multiple Workflows vulnerables to Execution of untrusted code enabling an attacker to steal secret tokens and gain write access to the Gradio repository.

Tested Version

Latest commit at the time of writing

Details

Gradio uses two triggering workflows: trigger-checks.yml and trigger-changeset.yml that can be triggered by an attacker by sending a pull_request or commenting on a pull request (trigger-changeset only). These workflows trigger a variety of workflow_run workflows which have a common initial job called changes which runs the gradio-app/gradio/.github/actions/changes@main reusable workflow. This workflow decides whether the rest of the workflow should run (steps.changes.outputs.should_run) based on the pull request's changed files and provides information about the triggering event. In the case that the workflow_run workflow got triggered by a pull_request or an issue_comment on a pull request, the steps.changes.outputs.merge_sha will contain the SHA of the merge commit of the triggering pull request and therefore will point to a commit that may include attacker-controlled files.

These workflows then use a second job where the merge commit of the triggering pull request gets checked out and, therefore, untrusted files will get used in the following steps of the same job. The following sections provide details about the vulnerable workflows, the untrusted code checkouts and the steps that execute untrusted code.

Issue 1: Execution of untrusted code in test-hygiene.yml (GHSL-2024-150)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope

Issue 2: Execution of untrusted code in tests-js.yml (GHSL-2024-151)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope
• Access to secrets.VERCEL_ORG_ID
• Access to secrets.VERCEL_PROJECT_ID

Issue 3: Execution of untrusted code in generate-changeset.yml (GHSL-2024-152)

• find-pr job
• checkout step
• Untrusted code execution step

Note: It is unclear whether arbitrary code execution could be achieved within gradio-app/github/actions/generate-changeset reusable workflow but given that it runs on a highly privileged context with untrusted checkout we decided to report it.

Impact

• Write access to ALL scopes
• Access to secrets.COMMENT_TOKEN

Issue 4: Execution of untrusted code in deploy-spaces.yml (GHSL-2024-153)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope
• Access to secrets.PR_DEPLOY_KEY
• Access to secrets.PR_DEPLOY_SECRET
• Access to secrets.SPACES_DEPLOY_TOKEN
• Access to secrets.WEBSITE_SPACES_DEPLOY_TOKEN

Issue 5: Execution of untrusted code in deploy+test-visual.yml (GHSL-2024-154)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope
• Access to secrets.CHROMATIC_PROJECT_TOKEN

Issue 6: Execution of untrusted code in deploy-website.yml (GHSL-2024-155)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope
• Access to secrets.VERCEL_ORG_ID
• Access to secrets.VERCEL_PROJECT_ID
• Access to secrets.AWSACCESSKEYID
• Access to secrets.AWSSECRETKEY
• Access to secrets.VERCEL_TOKEN
• Access to secrets.CHROMATIC_PROJECT_TOKEN

Issue 7: Execution of untrusted code in test-functional.yml (GHSL-2024-156)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope

Issue 8: Execution of untrusted code in test-python.yml (GHSL-2024-157)

• changes job
• checkout step
• Untrusted code execution step

Impact

• Write access to commit statuses scope
• Access to secrets.HF_TOKEN