Coordinated Disclosure Timeline

• 2024-03-25: Created a report through Private Vulnerability Reporting.
• 2024-05-10: Reminder sent through PVR.
• 2024-08-05: No answer from the maintainers. Decision to publish as per our Disclosure Policy.

Summary

EVE is vulnerable to Actions expression injection allowing an attacker to take over the GitHub Runner and potentially approve any Pull Requests.

Project

EVE

Tested Version

11.0.3-lts

Details

Actions expression injection in request_codeowners_review.yml (GHSL-2024-049)

The request_codeowners_review.yml workflow is triggered on pull_request_target (i.e., when a Pull Request is created or updated). The workflow adopts write permissions for pull-requests.

Taking the above into account, this workflow injects data coming from said Pull Request (${{ github.event.pull_request.head.ref }} – the name of the branch) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands.

- name: Fetch the PR's head ref
  run: |
    git fetch origin ${{ github.event.pull_request.head.sha }}:${{ github.event.pull_request.head.ref }}
    git checkout ${{ github.event.pull_request.head.ref }}

Impact

This issue potentially may allow an attacker to approve arbitrary Pull Request.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at [email protected], please include a reference to GHSL-2024-049 in any communication regarding this issue.