Summary
The /mehah/otclient "Analysis - SonarCloud" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets and alter the repository using this workflow.
Details
The otclient/.github/workflows/analysis-sonarcloud.yml file contains the vulnerable code
|
- name: Run PR sonar-scanner |
|
if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} |
|
env: |
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
|
run: | |
|
sonar-scanner \ |
|
--define sonar.cfamily.threads="${{ env.NUMBER_OF_PROCESSORS }}" \ |
|
--define sonar.cfamily.cache.enabled=true \ |
|
--define sonar.cfamily.cache.path="$HOME/.cfamily" \ |
|
--define sonar.cfamily.compile-commands=build/compile_commands.json \ |
|
--define sonar.pullrequest.key=${{ github.event.pull_request.number }} \ |
|
--define sonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} \ |
|
--define sonar.pullrequest.base=${{ github.event.pull_request.base_ref }} |
- name: Run PR sonar-scanner
if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
sonar-scanner \
--define sonar.cfamily.threads="${{ env.NUMBER_OF_PROCESSORS }}" \
--define sonar.cfamily.cache.enabled=true \
--define sonar.cfamily.cache.path="$HOME/.cfamily" \
--define sonar.cfamily.compile-commands=build/compile_commands.json \
--define sonar.pullrequest.key=${{ github.event.pull_request.number }} \
--define sonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} \
--define sonar.pullrequest.base=${{ github.event.pull_request.base_ref }}
The injection point would be the ${{ github.event.pull_request.head.ref }}.
The attack scenario was reproduced in a separate repository as follow:
- The attacker fork the repository
- Create a new branch with the payload
sss$(whoami)]@sim4n6. Write a PR
- Make a pull request to trigger the workflow and run the command
sonar-scanner .... --define sonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}. Which is equivalent to sonar-scanner .... --define sss$(whoami)]@sim4n6.
As a result, the command was successfully injected into the runner, as seen in the alternative repository with a similar workflow raw logs:
Impact
- Run arbitrary commands on the runner.
- Leak the secrets & the tokens.
References
Sim4n6 Finder
Summary
The /mehah/otclient "
Analysis - SonarCloud" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets and alter the repository using this workflow.Details
The otclient/.github/workflows/analysis-sonarcloud.yml file contains the vulnerable code
otclient/.github/workflows/analysis-sonarcloud.yml
Lines 91 to 104 in 72744ed
The injection point would be the ${{ github.event.pull_request.head.ref }}.
The attack scenario was reproduced in a separate repository as follow:
sss$(whoami)]@sim4n6. Write a PRsonar-scanner .... --define sonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}. Which is equivalent tosonar-scanner .... --define sss$(whoami)]@sim4n6.As a result, the command was successfully injected into the runner, as seen in the alternative repository with a similar workflow raw logs:
Impact
References