Eclipse Theia Website GitHub Actions Workflow Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Eclipse Theia Website repository. The issue arises from the GitHub Actions workflow '.github/workflows/preview.yml', which uses the 'pull_request_target' trigger. This workflow checks out and executes untrusted pull request code, allowing any GitHub user to run arbitrary code in the repository's continuous integration (CI) environment. The vulnerability is particularly concerning because it provides access to repository secrets and a 'GITHUB_TOKEN' with extensive write permissions, including rights to modify the repository's GitHub Pages and publish packages to the Eclipse Theia organization. The exploitation of this vulnerability could lead to the exfiltration of sensitive secrets, the injection of malicious code into the repository, and the compromise of the official Theia website.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the GitHub Actions CI environment, with access to high-value credentials and permissions. This includes the 'GITHUB_TOKEN', which has full write rights to the repository and organization packages, the 'DEPLOY_PREVIEW_TOKEN' for cross-repository deployments, and a Node authentication token for npm registry access. Such actions could disrupt the CI/CD pipeline, modify the official Theia website, and compromise the integrity of published packages, affecting millions of developers who rely on them.

Reproduction

The vulnerability can be reproduced by forking the 'eclipse-theia/theia-website' repository and modifying the 'package.json' file to include malicious scripts. Once the changes are committed, a pull request can be opened to the original repository. The 'preview.yml' workflow will automatically trigger, executing the injected commands with elevated permissions and access to repository secrets.

Remediation

The vulnerability has been addressed by replacing the 'pull_request_target' workflow with a secure three-workflow architecture. The 'preview-build.yml' workflow now uses the 'pull_request' trigger, avoiding secrets access, while the 'preview-deploy.yml' workflow uses 'workflow_run' to process build artifacts. The 'preview-remove.yml' workflow, which only closes pull requests, utilizes 'pull_request_target' without executing code. Additionally, repository secrets should be rotated and recent package publications audited for signs of tampering.