-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quote $GITHUB_HEAD_REF
on release.yml
#1448
Conversation
Thanks for the report, @h2oa! Unfortunately, it seems like we can't access it on huntr.com due to lack of permissions, like in other report you submitted previously. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The allegedly vulnerable job can only run if the following condition is met:
cml/.github/workflows/release.yml
Line 29 in f775f7b
if: github.event.pull_request.merged && startsWith(github.head_ref, 'bump/') |
This implies that, at very least, you'd need someone to approve & merge a pull request with a malicious branch name to trigger the vulnerable job.
Proof of concept
Trick a maintainer into merging this, if you can. 🙃
Minimal vulnerable workflow
on: pull_request
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: echo ${{ github.head_ref }}
Minimal malicious pull request
- Branch name:
bump/$(bash<script)
- Contents: create a file named
script
with arbitrary code
Hi @0x2b3bfa0, Yes, the vulnerability issue will occur if a pull request is accepted by someone. Therefore, in my report at huntr.com, the Your product is running a bug bounty program on the huntr.com platform, so I believe you have the authority to request permission from the huntr.com admin to view the report details. Best regards, |
$GITHUB_HEAD_REF
on release.yml
Thanks for clarifying this, @h2oa! Our only official bug bounty program is this one, and we aren't affiliated in any way with huntr.com; I'm trying to contact them, hoping to find out how to access and triage those reports. |
If someone managed to trick us into accepting a malicious pull request1 they could find a thousand more subtle and more impactful ways of executing code than this one, e.g. adding a malicious dependency to Footnotes
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Irrelevant security-wise, but using an environment variable is definitely nicer. Thanks for the report and the effort!
Hi cml security team,
I submitted a report of vulnerability on huntr.com. I see your product run a bug bounty program on this platform. You can connect to the huntr admin to see details of the report at https://huntr.com/bounties/2113dbb3-8427-4b77-913a-15a95bf68922. This pull request is a patch for this vulnerability. Because this is a dangerous vulnerability, please consider it as quickly as possible!