RSS Folo GitHub Actions Workflow Vulnerability Allowing Secrets Exfiltration

A vulnerability exists in the RSS Folo GitHub repository within the GitHub Actions workflow file '.github/workflows/auto-fix-lint-format-commit.yml'. This issue arises from the use of 'pull_request_target', which executes untrusted code from pull requests with full access to the base repository's secrets. Exploiting this vulnerability allows for the exfiltration of the 'GITHUB_TOKEN', a highly privileged token that can be used to gain complete control over the repository by writing content on its behalf.

Impact

Exploitation of this vulnerability allows an attacker to exfiltrate the 'GITHUB_TOKEN', which has high privileges and can be used to completely take over the repository, as the token includes content write privileges.

Reproduction

To reproduce this vulnerability, an attacker can inject malicious code into a pull request that targets a branch containing the vulnerable workflow. Once the pull request is opened or synchronized, the injected code will execute with access to the repository's secrets. This exploitation can be verified by extracting the 'GITHUB_TOKEN' and using it to perform actions on the repository, such as creating a tag.

Remediation

The vulnerability has been fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a. It is recommended to remove 'pull_request_target' from workflows or manage its use carefully to avoid checking out untrusted code. Additionally, 'GITHUB_TOKEN' permissions should be set appropriately based on the workflow's needs.