Summary

gh-action-pypi-publish makes use of GitHub Actions expression expansions (i.e.${{ ... }}) in contexts that are potentially attacker controllable. Depending on the trigger used to invokegh-action-pypi-publish, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokesgh-action-pypi-publish.

Details

gh-action-pypi-publish contains a composite action step,set-repo-and-ref, that makes use of expression expansions:

  -name:Set repo and ref from which to run Docker container actionid:set-repo-and-refrun:|      # Set repo and ref from which to run Docker container action      # to handle cases in which `github.action_` context is not set      # https://github.com/actions/runner/issues/2473      REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}      REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}      REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}      echo "ref=$REF" >>"$GITHUB_OUTPUT"      echo "repo=$REPO" >>"$GITHUB_OUTPUT"      echo "repo-id=$REPO_ID" >>"$GITHUB_OUTPUT"shell:bashenv:ACTION_REF:${{ github.action_ref }}ACTION_REPO:${{ github.action_repository }}PR_REF:${{ github.event.pull_request.head.ref }}PR_REPO:${{ github.event.pull_request.head.repo.full_name }}PR_REPO_ID:${{ github.event.pull_request.base.repo.id }}

Permalink:https://github.com/pypa/gh-action-pypi-publish/blob/db8f07d3871a0a180efa06b95d467625c19d5d5f/action.yml#L114-L125

In normal intended operation, these expansions are used to establish a correct priority for outputs likeref andrepo-id.

However, these expansions have a side effect: because they're done with${{ ... }} and not with${...} (i.e. normal shell interpolation), they canbypass normal shell quoting rules. In particular, if bothenv.ACTION_REF andenv.PR_REF evaluate to empty strings, then the expression falls back togithub.ref_name, which can be an attacker controlled string via a branch or tag name.

For example, if the attacker is able to set a branch name to something likeinnocent;cat${IFS}/etc/passwd, then theREF line may expand as:

REF=innocent;cat${IFS}/etc/passwd

which would setREF toinnocent and then run the attacker's code.

Additional information about dangerous expansions can be found inzizmor'stemplate-injection rule documentation.

Impact

The impact of this vulnerability is very low: the expression in question is unlikely to be evaluated in normal operation, sinceenv.ACTION_REF should always take precedence.

In particular, the action isnot vulnerable in many popular configurations, i.e. those wherepull_request orrelease or apush: tags event is used to call the action.

References

• GHSA-vxmw-7h4f-hqxh
• pypa/gh-action-pypi-publish@77db1b7