Coordinated Disclosure Timeline

• 2024-03-27: Report sent to security@openim.io
• 2024-05-10: Reminder sent to security@openim.io
• 2024-08-05: No response from the maintainers. Decision to publish as per our Disclosure Policy.

Summary

OpenIM is vulnerable to Actions expression injection allowing attackers to take over the GitHub Runner and steal the BOT_GITHUB_TOKEN secret.

Project

OpenIM

Tested Version

v3.6.0

Details

Actions expression injection in auto-tag.yml (GHSL-2024-054)

The auto-tag.yml workflow is triggered on issue_comment (i.e., when a comment is created inside an Issue). This workflow injects data controlled by said Issue (${{ github.event.comment.body }} – the body of the comment) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and steal the BOT_GITHUB_TOKEN secret.

- name: Validate version number and get comment
  id: validate
  run: |
    COMMENT="${{ github.event.comment.body }}"
    VERSION=$(echo $COMMENT | cut -d ' ' -f 3)
    TAG_COMMENT=$(echo $COMMENT | cut -d '"' -f 2)
    if [[ $VERSION =~ ^v([0-9]+\.){2}[0-9]+$ ]]; then
      echo "version=$VERSION" >> $GITHUB_STATE
      echo "tag_comment=$TAG_COMMENT" >> $GITHUB_STATE
    else
      echo "Invalid version number."
      exit 1
    fi

Impact

This issue may lead to stealing workflow secrets.

Resources

• CodeQL for JavaScript - Expression injection in Actions
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-054 in any communication regarding this issue.