New Descriptions

Author: Alvaro Muñoz

ql/src/Security/CWE-077/EnvPathInjectionCritical.md

@@ -0,0 +1,37 @@
+# Environment Path Injection
+
+## Description
+
+GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.
+
+```bash
+echo "$HOME/.local/bin" >> $GITHUB_PATH
+```
+
+If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job.
+
+## Recommendations
+
+- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
+
+## Examples
+
+### Incorrect Usage
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps:
+
+```yaml
+steps:
+  - name: Set the path
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+')
+      echo "$PATH" >> "$GITHUB_PATH"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)

ql/src/Security/CWE-077/EnvPathInjectionMedium.md

@@ -0,0 +1,37 @@
+# Environment Path Injection
+
+## Description
+
+GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.
+
+```bash
+echo "$HOME/.local/bin" >> $GITHUB_PATH
+```
+
+If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job.
+
+## Recommendations
+
+- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
+
+## Examples
+
+### Incorrect Usage
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps:
+
+```yaml
+steps:
+  - name: Set the path
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+')
+      echo "$PATH" >> "$GITHUB_PATH"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)

ql/src/Security/CWE-077/EnvVarInjectionCritical.md

@@ -0,0 +1,117 @@
+# Environment Variable Injection
+
+## Description
+
+GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
+
+This file should lines in the `KEY=VALUE` format:
+
+```bash
+steps:
+  - name: Set the value
+    id: step_one
+    run: |
+      echo "action_state=yellow" >> "$GITHUB_ENV"
+```
+
+It is also possible to define a multiline variables by using the following format:
+
+```
+KEY<<{delimiter}
+VALUE
+VALUE
+{delimiter}
+```
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      {
+        echo 'JSON_RESPONSE<<EOF'
+        curl https://example.com
+        echo EOF
+      } >> "$GITHUB_ENV"
+```
+
+If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`.
+
+## Recommendations
+
+1. **Do Not Allow Untrusted Data to Influence Environment Variables**:
+
+- Avoid using untrusted data sources (e.g., artifact content) to define environment variables.
+- Validate and sanitize all inputs before using them in environment settings.
+
+2. **Do Not Allow New Lines When Defining Single Line Environment Variables**:
+
+- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"`
+
+3. **Use Unique Identifiers When Defining Multi Line Environment Variables**:
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      # Generate a UUID
+      UUID=$(uuidgen)
+      {
+        echo "JSON_RESPONSE<<EOF$UUID"
+        curl https://example.com
+        echo "EOF$UUID"
+      } >> "$GITHUB_ENV"
+```
+
+## Examples
+
+### Example of Vulnerability
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps:
+
+```yaml
+steps:
+  - name: Set the value
+    id: step_one
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g')
+      echo "BODY=$REPLACED" >> "$GITHUB_ENV"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like:
+
+```
+FOO
+NEW_ENV_VAR=MALICIOUS_VALUE
+```
+
+Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as:
+
+```bash
+- run: |
+    PR_NUMBER=$(cat pr-number.txt)
+    echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+```
+
+An attacker could craft a malicious artifact that writes dangerous environment variables:
+
+```bash
+  - run: |
+      echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt
+  - uses: actions/upload-artifact@v4
+    with:
+      name: pr-number
+      path: ./pr-number.txt
+```
+
+### Exploitation
+
+An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)

ql/src/Security/CWE-077/EnvVarInjectionMedium.md

@@ -0,0 +1,117 @@
+# Environment Variable Injection
+
+## Description
+
+GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
+
+This file should lines in the `KEY=VALUE` format:
+
+```bash
+steps:
+  - name: Set the value
+    id: step_one
+    run: |
+      echo "action_state=yellow" >> "$GITHUB_ENV"
+```
+
+It is also possible to define a multiline variables by using the following format:
+
+```
+KEY<<{delimiter}
+VALUE
+VALUE
+{delimiter}
+```
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      {
+        echo 'JSON_RESPONSE<<EOF'
+        curl https://example.com
+        echo EOF
+      } >> "$GITHUB_ENV"
+```
+
+If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`.
+
+## Recommendations
+
+1. **Do Not Allow Untrusted Data to Influence Environment Variables**:
+
+- Avoid using untrusted data sources (e.g., artifact content) to define environment variables.
+- Validate and sanitize all inputs before using them in environment settings.
+
+2. **Do Not Allow New Lines When Defining Single Line Environment Variables**:
+
+- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"`
+
+3. **Use Unique Identifiers When Defining Multi Line Environment Variables**:
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      # Generate a UUID
+      UUID=$(uuidgen)
+      {
+        echo "JSON_RESPONSE<<EOF$UUID"
+        curl https://example.com
+        echo "EOF$UUID"
+      } >> "$GITHUB_ENV"
+```
+
+## Examples
+
+### Example of Vulnerability
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps:
+
+```yaml
+steps:
+  - name: Set the value
+    id: step_one
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g')
+      echo "BODY=$REPLACED" >> "$GITHUB_ENV"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like:
+
+```
+FOO
+NEW_ENV_VAR=MALICIOUS_VALUE
+```
+
+Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as:
+
+```bash
+- run: |
+    PR_NUMBER=$(cat pr-number.txt)
+    echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+```
+
+An attacker could craft a malicious artifact that writes dangerous environment variables:
+
+```bash
+  - run: |
+      echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt
+  - uses: actions/upload-artifact@v4
+    with:
+      name: pr-number
+      path: ./pr-number.txt
+```
+
+### Exploitation
+
+An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)

ql/src/Security/CWE-088/ArgumentInjectionCritical.md

@@ -0,0 +1,41 @@
+# Argument Injection in GitHub Actions
+
+## Description
+
+Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution.
+
+Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.
+
+## Recommendations
+
+When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments.
+
+It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
+
+## Examples
+
+### Incorrect Usage
+
+The following example lets a user inject an arbitrary shell command through argument injection:
+
+```yaml
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          BODY: ${{ github.event.comment.body }}
+        run: |
+          cat file.txt | sed  "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt
+```
+
+An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation.
+
+## References
+
+- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html).
+- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/)
+- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/)
+- [GTFOBins](https://gtfobins.github.io/)

ql/src/Security/CWE-088/ArgumentInjectionMedium.md

@@ -0,0 +1,41 @@
+# Argument Injection in GitHub Actions
+
+## Description
+
+Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution.
+
+Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.
+
+## Recommendations
+
+When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments.
+
+It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
+
+## Examples
+
+### Incorrect Usage
+
+The following example lets a user inject an arbitrary shell command through argument injection:
+
+```yaml
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          BODY: ${{ github.event.comment.body }}
+        run: |
+          cat file.txt | sed  "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt
+```
+
+An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation.
+
+## References
+
+- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html).
+- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/)
+- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/)
+- [GTFOBins](https://gtfobins.github.io/)