kartverket/github-workflows is a popular open-source project that provides shared, reusable GitHub Action workflows for various tasks. Unfortunately, all users utilizing the run-terraform reusable workflow from the kartverket/github-workflows repository are affected by a critical code injection vulnerability prior to version 2.7.5. This vulnerability, labeled as CVE-2022-39326, allows a malicious actor to potentially inject and execute arbitrary JavaScript code in the context of the affected workflow. In this post, we will dive into the vulnerability details, how to identify if your workflows are affected, and how to mitigate this issue.

Vulnerability Details

The code injection vulnerability exists due to insufficient input validation and sanitization in the run-terraform reusable workflow. A malicious user could craft a pull request (PR) that contains a specially designed payload, which, when processed by the run-terraform workflow, would lead to the execution of arbitrary JavaScript code. In turn, this could lead to unauthorized access or modification of GitHub repositories, as well as leakage of sensitive data or secrets.

Code Snippet

Below is a snippet of the vulnerable code from the run-terraform reusable workflow (before version 2.7.5):

jobs:
  run_terraform:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repo
      uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.ref }}
        repository: ${{ github.event.pull_request.head.repo.full_name }}

In the code above, the ref and repository properties used to checkout the repository are directly obtained from the github.event.pull_request object, without proper input validation or sanitization. This allows an attacker to craft a malicious payload leveraging these properties, potentially leading to code execution.

Affected Versions

Users of the kartverket/github-workflows repository who use the run-terraform reusable workflow in any version prior to 2.7.5 are affected by this vulnerability.

Mitigation

To resolve this issue, users should upgrade their version of kartverket/github-workflows to at least 2.7.5. The updated version includes proper input validation and sanitization, addressing the vulnerability.

As a temporary workaround, you should thoroughly review any pull requests from external users for potential malicious payloads before allowing them to trigger a build.

References

- kartverket/github-workflows Repository
- run-terraform v2.7.5

Conclusion

The code injection vulnerability in the kartverket/github-workflows project poses a significant risk to users who rely on the run-terraform reusable workflow. By upgrading the workflow to version 2.7.5 or higher, you can safeguard your projects against potential attacks. Always exercise caution when reviewing external pull requests and make sure to keep your repository dependencies up-to-date to protect against known vulnerabilities.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:26:00 UTC