Coordinated Disclosure Timeline

Summary

React Native OneSignal SDK repository is vulnerable to a Command Injection in Zapier.yml.

Product

React Native OneSignal SDK

Tested Version

4e43bda

Details

Actions command injection in Zapier.yml (GHSL-2023-051)

The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.issue.title }} – the full title of the Issue), allowing an attacker to take over the GitHub Runner and run custom commands, potentially stealing any secret (if used), or altering the repository.

- name: Call Zapier web hook to close Asana task
  if: ${{ !github.event.issue.pull_request }}
  run: |
    curl --location --request POST 'https://hooks.zapier.com/hooks/catch/...' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --data-raw '{
      "task_name" : "${{ github.event.issue.title }}"
    }'

This issue was found with CodeQL using javascript’s Expression injection in Actions query.

Proof of Concept

  1. Create an Issue in OneSignal/react-native-onesignal with the following title: foo"}'; echo "Hello"; echo ' (without backticks)
  2. Close the Issue.
  3. Check the workflow runs for the new Actions run that will execute the command echo "Hello".

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Resources

CVE

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-051 in any communication regarding this issue.