HackTricks CloudGh Actions - Context Script Injections
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Kuelewa hatari
GitHub Actions renders expressions ${{ ... }} before the step executes. The rendered value is pasted into the step’s program (for run steps, a shell script). If you interpolate untrusted input directly inside run:, the attacker controls part of the shell program and can execute arbitrary commands.
Docs: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions and contexts/functions: https://docs.github.com/en/actions/learn-github-actions/contexts
Vidokezo muhimu:
- Uundaji (rendering) hufanyika kabla ya utekelezaji. The run script inaundwa kwa expressions zote zilizosuluhishwa, kisha inatekelezwa na shell.
- Contexts nyingi zina nyanja zinazodhibitiwa na mtumiaji kulingana na tukio linalochochea (issues, PRs, comments, discussions, forks, stars, n.k.). Angalia rejea ya untrusted input: https://securitylab.github.com/resources/github-actions-untrusted-input/
- Shell quoting ndani ya run: sio ulinzi wa kuaminika, kwa sababu injection hutokea katika hatua ya template rendering. Wavamizi wanaweza kuvunja nukuu au kuingiza operators kupitia input iliyotengenezwa kwa ustadi.
Mfano hatarishi → RCE on runner
Workflow hatarishi (inayoanzishwa wakati mtu anafungua issue mpya):
name: New Issue Created
on:
issues:
types: [opened]
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: New issue
run: |
echo "New issue ${{ github.event.issue.title }} created"
- name: Add "new" label to issue
uses: actions-ecosystem/action-add-labels@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
labels: new
Ikiwa mshambuliaji anafungua issue yenye kichwa $(id), hatua iliyowasilishwa itakuwa:
echo "New issue $(id) created"
Ubadilishaji wa amri (command substitution) unaendesha id kwenye runner. Mfano wa pato:
New issue uid=1001(runner) gid=118(docker) groups=118(docker),4(adm),100(users),999(systemd-journal) created
Kwa nini kunukuu hakukuokoa:
- Mielezo zinatengenezwa kwanza, kisha script inayotokana inaendeshwa. Ikiwa thamani isiyoaminika ina $(...),
;,"/', au newlines, inaweza kubadilisha muundo wa programu licha ya kunukuu kwako.
Mfano salama (shell variables via env)
Kupunguza hatari sahihi: nakili ingizo lisiloaminika ndani ya environment variable, kisha tumia native shell expansion ($VAR) katika run script. Usirudishe tena kwa ${{ ... }} ndani ya command.
# safe
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: New issue
env:
TITLE: ${{ github.event.issue.title }}
run: |
echo "New issue $TITLE created"
Vidokezo:
- Epukana kutumia ${{ env.TITLE }} ndani ya run:. Hii inarejesha template rendering ndani ya amri na inaleta hatari ile ile ya injection.
- Pendelea kupitisha inputs zisizo waaminifu kupitia env: mapping na kuzi-refer kwa $VAR ndani ya run:.
Nyuso zinazoweza kusababishwa na msomaji (zitachukuliwe kuwa zisizo waaminifu)
Akaunti zenye tu ruhusa ya kusoma kwenye public repositories bado zinaweza kusababisha matukio mengi. Kila uwanja katika contexts zinazotokana na matukio haya lazima uchukuliwe kuwa udhibitiwa na mshambuliaji isipokuwa kuthibitishwa vinginevyo. Mifano:
- issues, issue_comment
- discussion, discussion_comment (orgs zinaweza kuzuia mijadala)
- pull_request, pull_request_review, pull_request_review_comment
- pull_request_target (hatari ikiwa itatumika vibaya, inaendesha katika muktadha wa base repo)
- fork (mtu yeyote anaweza kufanya fork ya repos public)
- watch (kuweka nyota kwenye repo)
- Kwa njia isiyo ya moja kwa moja kupitia mnyororo wa workflow_run/workflow_call
Ni kutegemea tukio ni uwanja gani hasa unaodhibitiwa na mshambuliaji. Rejea GitHub Security Lab’s untrusted input guide: https://securitylab.github.com/resources/github-actions-untrusted-input/
Vidokezo vya vitendo
- Punguza matumizi ya expressions ndani ya run:. Tumia env: mapping + $VAR.
- Ikiwa lazima ubadilishe input, fanya hivyo kwenye shell ukitumia zana salama (printf %q, jq -r, n.k.), ukianza bado kutoka kwa shell variable.
- Kuwa wa tahadhari zaidi unapoingiza branch names, PR titles, usernames, labels, discussion titles, na PR head refs ndani ya scripts, command-line flags, au file paths.
- Kwa reusable workflows na composite actions, tumia mtindo ule ule: map kwenda env kisha urejeee kwa $VAR.
Marejeo
- GitHub Actions: A Cloudy Day for Security - Part 1
- GitHub workflow syntax
- Contexts and expression syntax
- Untrusted input reference for GitHub Actions
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.