Coordinated Disclosure Timeline

• 2021-02-04: Issue reported to maintainers
• 2021-02-04: Report acknowledged
• 2021-02-23: Issue fixed

Summary

The bloat.yml GitHub workflow in linebender/druid, linebender/runebender and linebender/norad is vulnerable to unauthorized modification of the base repository or secrets exfiltration.

Product

linebender/druid repository
linebender/runebender repository
linebender/norad repository

Tested Version

The latest version of bloat.yml to the date.

Details

Issue: A specific comment triggers a potentially untrusted pull request build in a privileged environment

When a user comments on a pull request it triggers the following workflow, that checks out the pull request and builds the potentially untrusted code:

on:
  issue_comment:
    types: [created, edited]
...
    # if it isn't an issue comment run every time, otherwise only run if the comment starts with '/bloat'
    if: (!startsWith(github.event_name, 'issue_comment') || startsWith(github.event.comment.body, '/bloat'))
    steps:
...
      - name: build head
        if: steps.get_revs.outputs.base != steps.get_revs.outputs.head
        uses: actions-rs/cargo@v1
        with:
          command: build
          args: --release --examples

Impact

The triggered workflow has access to the write repository token and secrets. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at [email protected], please include a reference to GHSL-2021-048 in any communication regarding this issue.