QGIS GitHub Actions Workflow Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in a QGIS GitHub repository. This issue arises from a workflow named 'pre-commit checks' that used the 'pull_request_target' trigger, allowing untrusted pull request code to be executed in a privileged context. Workflows triggered by 'pull_request_target' have access to the base repository's credentials and secrets. If the workflow checks out and runs code from an external pull request, an attacker could execute arbitrary commands with elevated privileges. This vulnerability has been acknowledged as a security risk by GitHub and security researchers.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on GitHub Actions runners with elevated privileges, access to repository secrets, and the ability to push malicious commits or branches, modify workflow files, or tamper with release artifacts.

Reproduction

To reproduce this vulnerability, fork the QGIS repository and add a malicious '.pre-commit-config.yaml' file along with a script that executes arbitrary commands. Open a pull request against the original repository. The workflow will run the attacker-controlled code with elevated privileges, demonstrating the remote code execution and repository takeover.

Remediation

The vulnerability has been patched by changing the workflow trigger from 'pull_request_target' to 'pull_request', removing the execution of untrusted code in a privileged context. It is recommended to audit all workflow runs for unauthorized code execution, review the git history for suspicious commits, verify the integrity of release artifacts, and rotate all secrets and tokens that were accessible to the compromised workflow.