Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odzZyLWc4Z2otMjk4N84AA1lL
Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Details
The filter-test-configs workflow is using the raw github.event.workflow_run.head_branch value inside the filter step:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "${{ github.event.workflow_run.head_branch }}"
In the event of a repository using filter-test-configs in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.
name: Example
on: pull_request_target
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Filter
uses: pytorch/pytorch/.github/actions/filter-test-configs@v2
Impact
This issue may lead to stealing workflow secrets.
Remediation
- Use an intermediate environment variable for potentially attacker-controlled values such as
github.event.workflow_run.head_branch:
- name: Select all requested test configurations
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
id: filter
run: |
...
python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
...
--branch "$HEAD_BRANCH"
Resources
- CodeQL for JavaScript - Expression injection in Actions
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzZyLWc4Z2otMjk4N84AA1lL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 8 months ago
Identifiers: GHSA-hw6r-g8gj-2987
References:
- https://github.com/pytorch/pytorch/security/advisories/GHSA-hw6r-g8gj-2987
- https://github.com/advisories/GHSA-hw6r-g8gj-2987
Blast Radius: 1.0
Affected Packages
actions:https://github.com/pytorch/pytorch/.github/actions/filter-test-configs
Affected Version Ranges: < 2.0.1No known fixed version