Skip to content

tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)

High severity GitHub Reviewed Published Dec 23, 2023 in tj-actions/changed-files • Updated Jan 4, 2024

Package

actions tj-actions/changed-files (GitHub Actions)

Affected versions

< 41

Patched versions

41

Description

Summary

The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

Details

The changed-files action returns a list of files changed in a commit or pull request which provides an escape_json input enabled by default, only escapes " for JSON values.

This could potentially allow filenames that contain special characters such as ; and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request. For example on push.

Proof of Concept

  1. Submit a pull request to a repository with a new file injecting a command. For example $(whoami).txt which is a valid filename.
  2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the List all changed files step below.
      - name: List all changed files
        run: |
          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
            echo "$file was changed"
          done

Example output:

##[group]Run for file in $(whoami).txt; do
    for file in $(whoami).txt; do
        echo "$file was changed"
    done
shell: /usr/bin/bash -e {0}
##[endgroup]
runner.txt was changed

Impact

This issue may lead to arbitrary command execution in the GitHub Runner.

Resolution

  • A new safe_output input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.

  • A safe recommendation of using environment variables to store unsafe outputs.

- name: List all changed files
  env:
    ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
  run: |
    for file in "$ALL_CHANGED_FILES"; do
      echo "$file was changed"
    done

Resources

References

@jackton1 jackton1 published to tj-actions/changed-files Dec 23, 2023
Published by the National Vulnerability Database Dec 27, 2023
Published to the GitHub Advisory Database Jan 2, 2024
Reviewed Jan 2, 2024
Last updated Jan 4, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(71st percentile)

Weaknesses

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Learn more on MITRE.

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.

CVE ID

CVE-2023-51664

GHSA ID

GHSA-mcph-m25j-8j63

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.