Описание
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Summary
Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands.
Details
Since #26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo add <key> <parameters> command for each defined alias. See source code: https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80
The key was not quoted, leading to the ability to use variable references ($FOO) in it and have them printed by Renovate on the pull request, or even running any shell commands.
PoC
Inside a repository where Renovate runs, add a Helm chart with an outdated dependency, for example:
test-chart/Chart.yaml:
test-chart/Chart.lock:
Then add the following renovate.json:
Once Renovate runs on the repository, it will create a pull request, and add a comment titled "Artifact update problem" containing the following text:
This shows that the ls command executed successfully, and we can even see its output.
Note that redirecting any output you want to see to stderr (>&2) and making sure the final command fails (exit 1) is required in this case, as Renovate only adds a comment if the command fails, and it contains only stderr (not stdout) output.
Impact
All Renovate versions from 37.158.0 up until 37.199.0 were affected. This vulnerability allows full access to Renovate's execution environment. The level of severity depends on how Renovate is deployed (Docker, Kubernetes, CI pipeline, ...) and whether Renovate is being offered to untrusted users/repositories.
Ссылки
Пакеты
renovate
>= 37.158.0, < 37.199.0
37.199.0
5.4 Medium
CVSS3
Дефекты
5.4 Medium
CVSS3