GHSL-2024-163: GitHub's workflow unit-tests.yml is vulnerable to arbitrary code execution

Coordinated Disclosure Timeline

• 2024-07-12: Reported through GitHub’s Private Vulnerability Reporting (PVR).
• 2024-07-23: Fix is merged.

Summary

The unit-tests.yml GitHub’s workflow is vulnerable to arbitrary code execution.

Project

cal.com

Tested Version

Latest commit at the time of reporting.

Details

Poisoned Pipeline Execution on unit-tests.yml (GHSL-2024-163)

The unit-tests.yml workflow runs when the crowdin.yml workflow completes. Even though the Crowdin workflow runs on push event, an attacker could send a PR which could change the trigger event to pull_request so that it would trigger the unit-tests workflow.

Considering that, the unit-tests workflow checks out untrusted code:

- uses: ./.github/actions/dangerous-git-checkout

And then runs commands such as yarn test that could be poisoned by an attacker able to change the package.json file.

The unit-tests workflow runs with full-write permissions and therefore an attacker could be able to take over the repository.

PoC

Create a new Pull Request with two changes:

1. Change crowdin.yml to:

name: Crowdin Action

on:
  pull_request:

jobs:
  trigger:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Triggered"

1. Change package.json scripts section to include a new script for test:

...
  "scripts": {
    ...
    "test": "echo PWNED",
    ...
  },
...

Impact

The issue may lead to repository takeover.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-163 in any communication regarding this issue.