Vulnerabilities in GitHub Actions handlers, which are automatically invoked when submitting pull requests to the Nixpkgs package repository, used in the NixOS distribution and the Nix package manager ecosystem, have been disclosed. The vulnerability allowed an unauthorized user to extract a token granting read and write access to the source code of all packages hosted in Nixpkgs. This token allowed direct modification of any package through the project's Git repository, bypassing the review and approval processes.
The ability to compromise Nixpkgs and inject custom code into any package was demonstrated by security researchers last October at the NixCon conference and was immediately patched in the project's infrastructure. However, details of the attack were only disclosed a year later. The issue was related to the use of GitHub Actions handlers in the Nixpkgs GitHub repository, which are bound to the "pull_request_target" event and perform automated checks upon new pull requests.
Unlike the "pull_request" event, handlers in "pull_request_target" are granted read/write access to the build environment, which requires special care when working with data passed in a pull request. One of the handlers bound to "pull_request_target" validated the "OWNERS" file provided in the pull request by building and calling the codeowners-validator utility: steps: — uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf with: ref: refs/pull/$/merge path: pr — run: nix-build base/ci -A codeownersValidator — run: result/bin/codeowners-validator env: OWNERS_FILE: pr/ci/OWNERS
The problem was that if the OWNERS file was formatted incorrectly, the codeowners-validator utility would output the contents of the malformed string to the standard, publicly accessible log. The attack consisted of placing a symbolic link named OWNERS in the pull request, pointing to the ".credentials" file, which stores credentials in the build environment. Consequently, processing this file resulted in an error and the first line, containing the repository access token, was output to the public log.
Additionally, another vulnerability was found in the handler that checks editorconfig rules. steps: — name: Get list of changed files from PR run: gh api […] | jq [ … ] > «$HOME/changed_files» — uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: ref: refs/pull/$/merge — name: Checking EditorConfig run: cat «$HOME/changed_files» | xargs -r editorconfig-checker
In this case, the issue was the use of the "xargs" utility to run editorconfig-checker with each file in the pull request. Since filenames weren't validated, an attacker could include a file containing special characters in the pull request, which would be processed as command-line arguments when running editorconfig-checker. For example, when creating a "--help" file, editorconfig-checker would display a hint about the available options.
Source: opennet.ru
