Headline
GHSA-hw6r-g8gj-2987: Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Details
The filter-test-configs workflow is using the raw github.event.workflow_run.head_branch value inside the filter step:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "${{ github.event.workflow_run.head_branch }}"
In the event of a repository using filter-test-configs in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.
name: Example
on: pull_request_target
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Filter
uses: pytorch/pytorch/.github/actions/filter-test-configs@v2
Impact
This issue may lead to stealing workflow secrets.
Remediation
- Use an intermediate environment variable for potentially attacker-controlled values such as
github.event.workflow_run.head_branch:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "$HEAD_BRANCH"
Resources
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-hw6r-g8gj-2987
Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)
Moderate severity GitHub Reviewed Published Aug 30, 2023 in pytorch/pytorch • Updated Aug 30, 2023
Package
actions https://github.com/pytorch/pytorch/.github/actions/filter-test-configs (GitHub Actions)
Affected versions
< 2.0.1
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Details
The filter-test-configs workflow is using the raw github.event.workflow_run.head_branch value inside the filter step:
- name: Select all requested test configurations shell: bash env: GITHUB_TOKEN: ${{ inputs.github-token }} JOB_NAME: ${{ steps.get-job-name.outputs.job-name }} id: filter run: | … python3 “${GITHUB_ACTION_PATH}/…/…/scripts/filter_test_configs.py” \ … –branch “${{ github.event.workflow_run.head_branch }}”
In the event of a repository using filter-test-configs in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.
name: Example
on: pull_request_target
jobs: example: runs-on: ubuntu-latest steps: - name: Filter uses: pytorch/pytorch/.github/actions/filter-test-configs@v2
Impact
This issue may lead to stealing workflow secrets.
Remediation
- Use an intermediate environment variable for potentially attacker-controlled values such as github.event.workflow_run.head_branch:
- name: Select all requested test configurations shell: bash env: GITHUB_TOKEN: ${{ inputs.github-token }} JOB_NAME: ${{ steps.get-job-name.outputs.job-name }} HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} id: filter run: | … python3 “${GITHUB_ACTION_PATH}/…/…/scripts/filter_test_configs.py” \ … –branch “$HEAD_BRANCH”
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
References
- GHSA-hw6r-g8gj-2987
Published to the GitHub Advisory Database
Aug 30, 2023
Last updated
Aug 30, 2023