GHSA-mcph-m25j-8j63
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mcph-m25j-8j63
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-mcph-m25j-8j63/GHSA-mcph-m25j-8j63.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mcph-m25j-8j63
- Aliases
- Published
- 2024-01-02T16:41:27Z
- Modified
- 2024-01-02T16:41:27Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
- Details
-
Summary
The
tj-actions/changed-filesworkflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.Details
The <code>changed-files</code> action returns a list of files changed in a commit or pull request which provides an
escape_jsoninput enabled by default, only escapes"for JSON values.This could potentially allow filenames that contain special characters such as
;and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside arunblock. By running custom commands an attacker may be able to steal secrets such asGITHUB_TOKENif triggered on other events thanpull_request. For example onpush.Proof of Concept
- Submit a pull request to a repository with a new file injecting a command. For example
$(whoami).txtwhich is a valid filename. - Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the
List all changed filesstep below.- name: List all changed files run: | for file in ${{ steps.changed-files.outputs.all_changed_files }}; do echo "$file was changed" done
Example output:
##[group]Run for file in $(whoami).txt; do for file in $(whoami).txt; do echo "$file was changed" done shell: /usr/bin/bash -e {0} ##[endgroup] runner.txt was changedImpact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
A new
safe_outputinput would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.A safe recommendation of using environment variables to store unsafe outputs.
- name: List all changed files env: ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} run: | for file in "$ALL_CHANGED_FILES"; do echo "$file was changed" done
Resources
- Submit a pull request to a repository with a new file injecting a command. For example
- Database specific
{ "nvd_published_at": "2023-12-27T17:15:08Z", "severity": "HIGH", "github_reviewed_at": "2024-01-02T16:41:27Z", "github_reviewed": true, "cwe_ids": [ "CWE-74", "CWE-77" ] }- References
-
- https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63
- https://nvd.nist.gov/vuln/detail/CVE-2023-51664
- https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b
- https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f
- https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede
- https://github.com/tj-actions/changed-files