GHSL-2024-051: GitHub Actions expression injection in Misskey

Coordinated Disclosure Timeline

• 2024-03-25: Opened a report through Private Vulnerability Reporting.
• 2024-04-03: Fix committed.

Summary

Misskey is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Project

Misskey

Tested Version

2024.3.1

Details

Actions expression injection in storybook.yml (GHSL-2024-051)

The storybook.yml workflow is triggered on pull_request_target (i.e., when a Pull Request is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Pull Request (${{ github.event.pull_request.head.ref }} – the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Publish to Chromatic
  if: github.event_name == 'pull_request_target'
  id: chromatic_pull_request
  run: |
    DIFF="${{ steps.rev.outputs.base }} HEAD"
    if [ "$DIFF" = "0000000000000000000000000000000000000000 HEAD" ]; then
      DIFF="HEAD"
    fi
    CHROMATIC_PARAMETER="$(node packages/frontend/.storybook/changes.js $(git diff-tree --no-commit-id --name-only -r $(echo "$DIFF") | xargs))"
    if [ "$CHROMATIC_PARAMETER" = " --skip" ]; then
      echo "skip=true" >> $GITHUB_OUTPUT
    fi
    BRANCH="${{ github.event.pull_request.head.user.login }}:${{ github.event.pull_request.head.ref }}"
    if [ "$BRANCH" = "misskey-dev:${{ github.event.pull_request.head.ref }}" ]; then
      BRANCH="${{ github.event.pull_request.head.ref }}"
    fi
    pnpm --filter frontend chromatic --exit-once-uploaded -d storybook-static --branch-name $BRANCH $(echo "$CHROMATIC_PARAMETER")
  env:
    CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

1. Fork the misskey-dev/misskey repository, whose name we will refer as username/misskey-fork.
2. Create a branch in username/misskey-fork with the name develop";echo${IFS}"hello";#.
3. Push any change to the former branch.
4. Create a pull request from username/misskey-fork:develop";echo${IFS}"hello";# to misskey-dev/misskey:develop.
5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at [email protected], please include a reference to GHSL-2024-051 in any communication regarding this issue.