Gh Actions - Context Script Injections

Basic Information

Note that there are certain github contexts whose values are controlled by the user creating the PR. If the github action is using that data to execute anything, it could lead to arbitrary code execution. These contexts typically end with body, default_branch, email, head_ref, label, message, name, page_name,ref, and title. For example (list from this writeup):

• github.event.comment.body

• github.event.issue.body

• github.event.issue.title

• github.head_ref

• github.pull_request.*

• github.*.*.authors.name

• github.*.*.authors.email

Note that here are less obvious sources of potentially untrusted input, such as branch names and email addresses, which can be quite flexible in terms of their permitted content. For example, zzz";echo${IFS}"hello";# would be a valid branch name and would be a possible attack vector for a target repository.

Example of a script injection attack

A script injection attack can occur directly within a workflow's inline script. In the following example, an action uses an expression to test the validity of a pull request title, but also adds the risk of script injection:

- name: Check PR title
run: |
title="${{ github.event.pull_request.title }}"
if [[ $title =~ ^octocat ]]; then
echo "PR title starts with 'octocat'"
exit 0
else
echo "PR title did not start with 'octocat'"
exit 1
fi

셸 스크립트가 실행되기 전에 ${{ }} 안의 표현식이 평가되고 결과 값으로 대체되므로 셸 명령 주입에 취약할 수 있습니다.

이 워크플로에 명령을 주입하기 위해 공격자는 **a"; ls $GITHUB_WORKSPACE"**라는 제목의 풀 리퀘스트를 생성할 수 있습니다.

이 예에서 " 문자는 title="${{ github.event.pull_request.title }}" 문장을 중단시키는 데 사용되어 ls 명령이 러너에서 실행될 수 있게 합니다.