Coordinated Disclosure Timeline

Summary

The jellyfin/jellyfin repository is vulnerable to a command injection in Actions, allowing an attacker to take over the GitHub Actions runner and leak secrets.

Product

Jellyfin

Tested Version

10.8.10

Details

Actions command injection in openapi.yml (GHSL-2023-107)

The openapi.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when a Pull Request originates from a fork.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.head_ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets and altering the workflow run).

- name: Checkout common ancestor
  run: |
    git remote add upstream https://github.com/${{ github.event.pull_request.base.repo.full_name }}
    git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules upstream +refs/heads/*:refs/remotes/upstream/* +refs/tags/*:refs/tags/*
    ANCESTOR_REF=$(git merge-base upstream/${{ github.base_ref }} origin/${{ github.head_ref }})
    git checkout --progress --force $ANCESTOR_REF

Proof of Concept

  1. Fork the jellyfin/jellyfin repository, whose name we will refer as username/jellyfin-fork.
  2. Create a branch in username/jellyfin-fork with the name master;echo${IFS}"hello";.
  3. Push changes to the former branch.
  4. Create a pull request from username/jellyfin-fork:master;echo${IFS}"hello"; to jellyfin/jellyfin:master.
  5. Check the workflow runs for the new Actions run that will execute the command echo "hello".

Impact

This issue may lead to stealing workflow secrets and altering the workflow run.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-107 in any communication regarding this issue.