React Native Bottom Tabs GitHub Actions Workflow Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A vulnerability exists in the 'react-native-bottom-tabs' library for React Native, specifically in versions through 0.9.2. The issue arises from the GitHub Actions workflow 'release-canary.yml', which improperly utilized the 'pull_request_target' event trigger. This flaw allowed untrusted code from forked pull requests to be executed in a privileged context. An attacker could exploit this by creating a pull request with a malicious preinstall script in the package.json file and then triggering the workflow by commenting '!canary'. This exploitation could lead to arbitrary code execution, allowing the attacker to exfiltrate sensitive secrets like GITHUB_TOKEN and NPM_TOKEN, and potentially push malicious code to the repository or publish compromised packages to the NPM registry.
Impact
Exploitation of this vulnerability allowed for arbitrary code execution within the GitHub Actions workflow, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN. This could have enabled an attacker to push malicious code to the repository or publish compromised packages to the NPM registry.
Reproduction
To reproduce this vulnerability, create a fork of the 'react-native-bottom-tabs' repository. Add a malicious preinstall script to the package.json file of your forked repository. Then, open a pull request from your forked repository to the original repository. After the pull request is created, post a comment containing '!canary' to trigger the vulnerable workflow. This will execute the malicious preinstall script in a privileged context, allowing for arbitrary code execution.
Remediation
The vulnerability has been addressed by removing the 'release-canary.yml' workflow file from the repository. However, users are advised to audit any workflows triggered by 'pull_request_target' or 'issue_comment', avoid checking out untrusted code in workflows with write-level tokens, and rotate any potentially compromised secrets, especially GITHUB_TOKEN and NPM_TOKEN.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.