Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix GraphQL query to get a collaborator's permission #301

Merged
merged 1 commit into from Dec 10, 2023
Merged

[Security] Fix GraphQL query to get a collaborator's permission #301

merged 1 commit into from Dec 10, 2023

Conversation

0xn3va
Copy link
Contributor

@0xn3va 0xn3va commented Dec 10, 2023
edited

I am terribly sorry for opening a public pull request with the fix for this vulnerability. I tried to reach out to you multiple times via X(Twitter), email from https://peterevans.dev/, and LinkedIn but didn't hear back from you. Plus, there is no security policy, so the only option left is opening a pull request.

The action uses the following GraphQL query to get the permissions of a user who triggered the action:

  async getActorPermission(repo: Repository, actor: string): Promise<string> {
    const query = `query CollaboratorPermission($owner: String!, $repo: String!, $collaborator: String) {
      repository(owner:$owner, name:$repo) {
        collaborators(query: $collaborator) {
          edges {
            permission
          }
        }
      }
    }`

The problem is that the $collaborator variable is passed to the query parameter which implements the fuzzy search. In other words, you can use an outside user with a username close to a maintainer username to bypass the permissions validation.

For example, the query above will return the ADMIN permission with the following variables:

  • owner: peter-evans
  • name: slash-command-dispatch
  • collaborator: eter-evans (note there is no the first letter p)

So, it means that an attacker can find users with required permissions in a target repository, create a user with a close name (like eter-evans), and bypass the permissions validation using that user.

To avoid this behaviour, the login parameter must be used instead of query.

@peter-evans peter-evans merged commit f996d7b into peter-evans:main Dec 10, 2023
3 checks passed
@peter-evans
Copy link
Owner

Hi @0xn3va

Thank you for raising this PR! Apologies for missing your attempts to contact me about this. I vaguely recall seeing something, but I get a lot of random email and messages and sometimes it's not easy to figure out what is genuine and what is spam. Thank you for your effort to get this fixed, I do appreciate it.

I've released the fix as v3.0.2 / v3.

renovate bot added a commit to Hapag-Lloyd/dist-comm-vis that referenced this pull request Dec 10, 2023
@renovate
chore(deps): update peter-evans/slash-command-dispatch action to v3.0…
2c8d539 
….2 (#164)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch)
| action | patch | `v3.0.1` -> `v3.0.2` |

---

### Release Notes

<details>
<summary>peter-evans/slash-command-dispatch
(peter-evans/slash-command-dispatch)</summary>

###
[`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2):
Slash Command Dispatch v3.0.2

[Compare
Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2)

#### What's Changed

- fix: replace use of any type by
[@&#8203;peter-evans](https://togithub.com/peter-evans) in
[peter-evans/slash-command-dispatch#152
- fixing link to `Get a pull request` by
[@&#8203;Borda](https://togithub.com/Borda) in
[peter-evans/slash-command-dispatch#270
- Update getting-started.md due to changes in Github UI by
[@&#8203;martin-displayr](https://togithub.com/martin-displayr) in
[peter-evans/slash-command-dispatch#289
- \[Security] Fix GraphQL query to get a collaborator's permission by
[@&#8203;0xn3va](https://togithub.com/0xn3va) in
[peter-evans/slash-command-dispatch#301
- 129 dependency updates by
[@&#8203;dependabot](https://togithub.com/dependabot)

#### New Contributors

- [@&#8203;Borda](https://togithub.com/Borda) made their first
contribution in
[peter-evans/slash-command-dispatch#270
- [@&#8203;martin-displayr](https://togithub.com/martin-displayr) made
their first contribution in
[peter-evans/slash-command-dispatch#289
- [@&#8203;0xn3va](https://togithub.com/0xn3va) made their first
contribution in
[peter-evans/slash-command-dispatch#301

**Full Changelog**:
peter-evans/slash-command-dispatch@v3.0.1...v3.0.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Hapag-Lloyd/dist-comm-vis).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44Ny4yIiwidXBkYXRlZEluVmVyIjoiMzcuODcuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot added a commit to Hapag-Lloyd/.github that referenced this pull request Dec 10, 2023
@renovate
chore(deps): update peter-evans/slash-command-dispatch action to v3.0…
424e54b 
….2 (#9)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch)
| action | patch | `v3.0.1` -> `v3.0.2` |

---

### Release Notes

<details>
<summary>peter-evans/slash-command-dispatch
(peter-evans/slash-command-dispatch)</summary>

###
[`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2):
Slash Command Dispatch v3.0.2

[Compare
Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2)

#### What's Changed

- fix: replace use of any type by
[@&#8203;peter-evans](https://togithub.com/peter-evans) in
[peter-evans/slash-command-dispatch#152
- fixing link to `Get a pull request` by
[@&#8203;Borda](https://togithub.com/Borda) in
[peter-evans/slash-command-dispatch#270
- Update getting-started.md due to changes in Github UI by
[@&#8203;martin-displayr](https://togithub.com/martin-displayr) in
[peter-evans/slash-command-dispatch#289
- \[Security] Fix GraphQL query to get a collaborator's permission by
[@&#8203;0xn3va](https://togithub.com/0xn3va) in
[peter-evans/slash-command-dispatch#301
- 129 dependency updates by
[@&#8203;dependabot](https://togithub.com/dependabot)

#### New Contributors

- [@&#8203;Borda](https://togithub.com/Borda) made their first
contribution in
[peter-evans/slash-command-dispatch#270
- [@&#8203;martin-displayr](https://togithub.com/martin-displayr) made
their first contribution in
[peter-evans/slash-command-dispatch#289
- [@&#8203;0xn3va](https://togithub.com/0xn3va) made their first
contribution in
[peter-evans/slash-command-dispatch#301

**Full Changelog**:
peter-evans/slash-command-dispatch@v3.0.1...v3.0.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Hapag-Lloyd/.github).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44Ny4yIiwidXBkYXRlZEluVmVyIjoiMzcuODcuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot added a commit to Hapag-Lloyd/Renovate-Global-Configuration that referenced this pull request Dec 10, 2023
@renovate
chore(deps): update peter-evans/slash-command-dispatch action to v3.0…
d3435b4 
….2 (#59)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch)
| action | patch | `v3.0.1` -> `v3.0.2` |

---

### Release Notes

<details>
<summary>peter-evans/slash-command-dispatch
(peter-evans/slash-command-dispatch)</summary>

###
[`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2):
Slash Command Dispatch v3.0.2

[Compare
Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2)

#### What's Changed

- fix: replace use of any type by
[@&#8203;peter-evans](https://togithub.com/peter-evans) in
[peter-evans/slash-command-dispatch#152
- fixing link to `Get a pull request` by
[@&#8203;Borda](https://togithub.com/Borda) in
[peter-evans/slash-command-dispatch#270
- Update getting-started.md due to changes in Github UI by
[@&#8203;martin-displayr](https://togithub.com/martin-displayr) in
[peter-evans/slash-command-dispatch#289
- \[Security] Fix GraphQL query to get a collaborator's permission by
[@&#8203;0xn3va](https://togithub.com/0xn3va) in
[peter-evans/slash-command-dispatch#301
- 129 dependency updates by
[@&#8203;dependabot](https://togithub.com/dependabot)

#### New Contributors

- [@&#8203;Borda](https://togithub.com/Borda) made their first
contribution in
[peter-evans/slash-command-dispatch#270
- [@&#8203;martin-displayr](https://togithub.com/martin-displayr) made
their first contribution in
[peter-evans/slash-command-dispatch#289
- [@&#8203;0xn3va](https://togithub.com/0xn3va) made their first
contribution in
[peter-evans/slash-command-dispatch#301

**Full Changelog**:
peter-evans/slash-command-dispatch@v3.0.1...v3.0.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Hapag-Lloyd/Renovate-Global-Configuration).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44Ny4yIiwidXBkYXRlZEluVmVyIjoiMzcuODcuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@frederikb
Copy link

Just as a heads-up for anyone running into this error:

Error: Request failed due to following response errors:
 - Field 'collaborators' doesn't accept argument 'login'
 - Variable $collaborator is declared by CollaboratorPermission but not used

v3 of this action now requires GitHub Enterprise Server >= 3.9.

Earlier versions do not expose the login field on collaborators as confirmed by comparing the GraphQL schemas:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@0xn3va @peter-evans @frederikb