logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-52137 tj-actions/verify-changed-files

Package

Manager: github_actions
Name: tj-actions/verify-changed-files
Vulnerable Version: >=0 <17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00475 pctl0.63843

Details

Potential Actions command injection in output filenames (GHSL-2023-275) ### Summary The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. ### Details The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`. #### Proof of Concept 1. Submit a pull request to the repository with a new file injecting a command. For example `$(whoami).txt` would be a valid filename. 2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the `List all changed files tracked and untracked files` step. ```yaml - name: List all changed files tracked and untracked files run: | echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}" ``` Example output: ```yaml ##[group]Run echo "Changed files: $(whoami).txt" echo "Changed files: $(whoami).txt" shell: /usr/bin/bash -e {0} ##[endgroup] Changed files: runner.txt ``` ### Impact This issue may lead to arbitrary command execution in the GitHub Runner. ### Resolution - A new `safe_output` input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments. - A safe recommendation of using environment variables to store unsafe outputs. ```yaml - name: List all changed files tracked and untracked files env: CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }} run: | echo "Changed files: $CHANGED_FILES" ``` ### Resources * [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/) * [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Metadata

Created: 2024-01-02T16:42:27Z
Modified: 2024-01-02T16:42:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-ghm2-rq8q-wrhc/GHSA-ghm2-rq8q-wrhc.json
CWE IDs: ["CWE-20", "CWE-77"]
Alternative ID: GHSA-ghm2-rq8q-wrhc
Finding: F422
Auto approve: 1