Description of Exploit

The workflow configuration for GitHub Actions allows for the execution of arbitrary code by exploiting a race condition between comment-based trigger and code execution. This issue arises from how the input ref is handled.

Configuration in perf_common.yaml

In the perf_common.yaml file, the code is checked out and executed on a specified ref provided as input:

    - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3.5.0
      with:
        ref: ${{ inputs.ref }}
    - name: Add pwd to git safe dir
      run: git config --global --add safe.directory `pwd`
    - name: Use GitHub Bazel config
      uses: ./.github/actions/bazelrc
      with:
        BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}

Trigger in perf.yaml

In the perf.yaml file, the pr-perf-eval job triggers the common performance workflow and passes the ref of the pull request head:

  pr-perf-eval:
    name: PR Performance Evaluation
    needs: pr-perf-setup
    if: ${{ needs.pr-perf-setup.outputs.outcome == 'success' }}
    uses: ./.github/workflows/perf_common.yaml
    with:
      suites: ${{ needs.pr-perf-setup.outputs.suites }}
      tags: ${{ needs.pr-perf-setup.outputs.tags }}
      ref: refs/pull/${{ github.event.issue.number }}/head

Exploit Scenario

1. Initial Comment: An authorized user (e.g., a maintainer) makes a comment that triggers the pr-perf-eval workflow. This comment leads to the retrieval of the ref pointing to the pull request's head.

2. Race Condition: A malicious actor who has access to the pull request (either as the PR author or a collaborator) pushes a new, malicious commit to the PR branch after the comment is made but before the workflow executes.

3. Code Execution: When the workflow runs, it checks out the code from the updated ref, which now includes the malicious commit. This malicious code can then execute within the GitHub Actions environment.