Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Security Vulnerability: Unsafe eval Usage in ADDITIONAL_PARAMETERS Handling #166

Open
appsec-igm-sbf opened this issue Feb 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@appsec-igm-sbf
Copy link

appsec-igm-sbf commented Feb 28, 2024

Describe the "bug"

I've identified a critical security vulnerability within the GitHub Action due to the handling of the "ADDITIONAL_PARAMETERS" input. The issue arises from the use of eval to process this input, which can allow for the execution of arbitrary commands. This misuse of eval poses a significant security risk, as it could potentially be exploited to bypass CI controls or expose sensitive information, such as the GITHUB_TOKEN.

eval "arr=(${ADDITIONAL_PARAMS})"

Expected behavior

The expected behavior would be for the GitHub Action to securely handle input parameters without executing them as code. Ideally, inputs should be sanitized or validated to ensure that they cannot be used to inject malicious code.

Actual behavior

The actual behavior is that the "ADDITIONAL_PARAMETERS" input is processed with eval, allowing for the injection of arbitrary commands. For example, injecting "); exit 0; # can terminate the script prematurely, and similarly, "); echo $GITHUB_TOKEN; # could potentially expose the GitHub token or other sensitive environment variables.

Steps to reproduce

To reproduce the vulnerability, you can follow these steps:

  1. Configure the GitHub Action in a workflow.
  2. In the action's inputs, supply an "ADDITIONAL_PARAMETERS" value that includes malicious code, such as "); exit 0; #.
  3. Execute the workflow.
  4. Observe that the injected command is executed, demonstrating the vulnerability.

Additional comments

This vulnerability exposes projects to significant risks, including unauthorized access to sensitive information or manipulation of the CI/CD process. It is crucial to address this issue to maintain the security integrity of projects using this GitHub Action.

Logs

Due to the nature of this report, providing specific logs might inadvertently expose sensitive information. However, the behavior can be verified by following the reproduction steps provided above with a test command designed to demonstrate the arbitrary command execution.

@appsec-igm-sbf appsec-igm-sbf added the bug Something isn't working label Feb 28, 2024
Copy link

Internal Jira issue: AST-36693

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants