Coordinated Disclosure Timeline
- 2024-03-25: Opened an Issue asking for a security contact.
- 2024-03-25: Private Vulnerability Reporting is enabled on the repository.
- 2024-03-25: Opened a report via Private Vulnerability Reporting.
- 2024-03-25: Fix is committed.
Summary
Simple Icons is vulnerable to an Actions expression injection, allowing an attacker to take over the repository and steal secrets.
Project
Simple Icons
Tested Version
Details
Actions expression injection in autoclose-issues.yml (GHSL-2024-044)
The autoclose-issues.yml workflow is triggered on issue (i.e., when an Issue is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.
Taking the above into account, this workflow injects data controlled by said Issue (${{ github.event.issue.title }} – the title of the Issue) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.
- id: match-java
name: Match Java
run: |
if [[ "${{ github.event.issue.title }}" =~ (^|[[:space:]])([jJ][aA][vV][aA])([[:space:]]|$) ]]; then
echo "match=true" >> $GITHUB_OUTPUT
fi
This issue was found using CodeQL for JavaScript’s Expression injection in Actions query.
Impact
This issue may lead to stealing workflow secrets and modification of the repository.
Proof of Concept
- Open an Issue with the following title:
$(whoami) - Check the workflow runs for the new Actions run that will execute the command
whoami.
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at [email protected], please include a reference to GHSL-2024-044 in any communication regarding this issue.