Описание
Harden-Runner has a command injection weaknesses in setup.ts and arc-runner.ts
Summary
Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time.
Details
-
setup.ts:169 1 performs
execSyncwith a command that gets invoked after interpretation by the shell. This command includes an interpolatedprocess.env.USERvariable, which an attacker could modify (without actually creating a new user) to inject arbitrary shell expressions into thisexecSync. This may or may not be likely in practice, but I believe the hygienic way to perform the underlying operation is to useexecFileSyncor similar and bypass the underlying shell evaluation. -
setup.ts:229 2 has a nearly identical
execSyncto (1) above, but with$USERfor shell-level interpolation rather than string interpolation. However, this is still injectable and would be best replaced by anexecFileSync, per above. -
arc-runner:40-44 3 has an
execSyncwith multiple string interpolations. Most of these do not appear immediately injectible (since they appear to come from presumed trusted API responses), but the expansion ofgetRunnerTempDir()may be injectable due to its dependence on potentially attacker-controllable environment variables (e.g.RUNNER_TEMP). The underlying operation appears to be a trivial file copy, so this entire subprocess should in theory be replaceable with ordinary NodeJSfsAPI calls instead. -
arc-runner:53 4 demonstrates the same weakness, and has the same resolution as (3).
-
arc-runner:57 demonstrates the same weakness as (3) and (4), and has the same resolution.
-
arc-runner:61 demonstrates the same weakness as (3), (4), and (5), and has the same resolution.
Ссылки
- https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc
- https://nvd.nist.gov/vuln/detail/CVE-2024-52587
- https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229
Пакеты
step-security/harden-runner
< 2.10.2
2.10.2
Связанные уязвимости
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.