Skip to content

Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)

Moderate severity GitHub Reviewed Published Aug 30, 2023 in pytorch/pytorch • Updated Aug 30, 2023

Package

actions https://github.com/pytorch/pytorch/.github/actions/filter-test-configs (GitHub Actions)

Affected versions

< 2.0.1

Patched versions

None

Description

The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.

Details

The filter-test-configs workflow is using the raw github.event.workflow_run.head_branch value inside the filter step:

- name: Select all requested test configurations
  shell: bash
  env:
    GITHUB_TOKEN: ${{ inputs.github-token }}
    JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
  id: filter
  run: |
    ...
    python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
      ...
      --branch "${{ github.event.workflow_run.head_branch }}"

In the event of a repository using filter-test-configs in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.

name: Example

on: pull_request_target

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - name: Filter
        uses: pytorch/pytorch/.github/actions/filter-test-configs@v2

Impact

This issue may lead to stealing workflow secrets.

Remediation

  1. Use an intermediate environment variable for potentially attacker-controlled values such as github.event.workflow_run.head_branch:
- name: Select all requested test configurations
  shell: bash
  env:
    GITHUB_TOKEN: ${{ inputs.github-token }}
    JOB_NAME: ${{ steps.get-job-name.outputs.job-name }}
    HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
  id: filter
  run: |
    ...
    python3 "${GITHUB_ACTION_PATH}/../../scripts/filter_test_configs.py" \
      ...
      --branch "$HEAD_BRANCH"

Resources

References

@malfet malfet published to pytorch/pytorch Aug 30, 2023
Published to the GitHub Advisory Database Aug 30, 2023
Reviewed Aug 30, 2023
Last updated Aug 30, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-hw6r-g8gj-2987

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.