github-actions[bot]
commented
8 months ago Internal Jira issue: AST-36693
Open appsec-igm-sbf opened 8 months ago
github-actions[bot]
commented
8 months ago Internal Jira issue: AST-36693
Describe the "bug"
I've identified a critical security vulnerability within the GitHub Action due to the handling of the "ADDITIONAL_PARAMETERS" input. The issue arises from the use of
evalto process this input, which can allow for the execution of arbitrary commands. This misuse ofevalposes a significant security risk, as it could potentially be exploited to bypass CI controls or expose sensitive information, such as theGITHUB_TOKEN. https://github.com/Checkmarx/ast-github-action/blob/75a1d77169240b76e9e0bce6ea2ac33a3f7f0229/entrypoint.sh#L5Expected behavior
The expected behavior would be for the GitHub Action to securely handle input parameters without executing them as code. Ideally, inputs should be sanitized or validated to ensure that they cannot be used to inject malicious code.
Actual behavior
The actual behavior is that the "ADDITIONAL_PARAMETERS" input is processed with
eval, allowing for the injection of arbitrary commands. For example, injecting"); exit 0; #can terminate the script prematurely, and similarly,"); echo $GITHUB_TOKEN; #could potentially expose the GitHub token or other sensitive environment variables.Steps to reproduce
To reproduce the vulnerability, you can follow these steps:
"); exit 0; #.Additional comments
This vulnerability exposes projects to significant risks, including unauthorized access to sensitive information or manipulation of the CI/CD process. It is crucial to address this issue to maintain the security integrity of projects using this GitHub Action.
Logs
Due to the nature of this report, providing specific logs might inadvertently expose sensitive information. However, the behavior can be verified by following the reproduction steps provided above with a test command designed to demonstrate the arbitrary command execution.