Summary
A critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issue_comment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed.
That said, running untrusted code may lead to the exfiltration of GITHUB_TOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover.
Details
The issue_comment trigger in this workflow is followed by the checkout of the PR branch:
on:
issue_comment: # Pull requests are also issues
types:
- created
...
- name: Checkout Pull Request
run: |
hub pr checkout ${{ github.event.issue.number }}
echo "Checked out SHA:"
git log -1 --format='%H'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This kind of workflow is susceptible to arbitrary execution from the PR branch opened by any actor in Github.
PoC
An attacker here can leverage the Install dependencies step to inject and run malicious code inside the workflow.
By inserting a locally crafted malicious python package that gets installed via the pip install ., or by adding in the requirements.txt file a remote python package that is downloaded by pip install -r requirements.txt, an attacker can achieve arbitrary execution, and, for example, spawn a reverse shell within the github runner.
To prove this exploit was possible we did a test by adding a locally crafted malicious python package that opened a reverse shell to extract the GITHUB_TOKEN. With the token extracted we were able to create a testing tag poc-v1.1.55 that has been deleted after 2 minutes.
Impact
Usually a GITHUB_TOKEN with write permissions, at least with the contents: write ones, allows an attacker a wide range of ways to completely damage or overtake the repository. In this case the following permissions were set for this github workflow:
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Models: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Fix
In general, allowing any user to run untrusted code within the github runner is strongly discouraged and, as in this case, could potentially lead to repository takeover. So, avoid checking out untrusted code unless strictly required.
Last but not least, the permissions of the GITHUB_TOKEN must be minimized to prevent potential repository takeover.
Kindly reported by @darryk10 and @AlbertoPellitteri
AlbertoPellitteri Reporter
darryk10 Reporter
Summary
A critical severity vulnerability has been identified within the
.github/workflows/benchmark-bot.ymlworkflow, where aissue_commentcan be triggered using the@benchmarkbody. This workflow is susceptible to exploitation as it checkout the${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed.That said, running untrusted code may lead to the exfiltration of
GITHUB_TOKEN, which in this workflow haswritepermissions on most of the scopes - in particular thecontentsone - and could lead to potential repository takeover.Details
The
issue_commenttrigger in this workflow is followed by the checkout of the PR branch:This kind of workflow is susceptible to arbitrary execution from the PR branch opened by any actor in Github.
PoC
An attacker here can leverage the
Install dependenciesstep to inject and run malicious code inside the workflow.By inserting a locally crafted malicious python package that gets installed via the
pip install ., or by adding in therequirements.txtfile a remote python package that is downloaded bypip install -r requirements.txt, an attacker can achieve arbitrary execution, and, for example, spawn a reverse shell within the github runner.To prove this exploit was possible we did a test by adding a locally crafted malicious python package that opened a reverse shell to extract the
GITHUB_TOKEN. With the token extracted we were able to create a testing tagpoc-v1.1.55that has been deleted after 2 minutes.Impact
Usually a
GITHUB_TOKENwithwritepermissions, at least with thecontents: writeones, allows an attacker a wide range of ways to completely damage or overtake the repository. In this case the following permissions were set for this github workflow:Fix
In general, allowing any user to run untrusted code within the github runner is strongly discouraged and, as in this case, could potentially lead to repository takeover. So, avoid checking out untrusted code unless strictly required.
Last but not least, the permissions of the
GITHUB_TOKENmust be minimized to prevent potential repository takeover.Kindly reported by @darryk10 and @AlbertoPellitteri