OWASP BLT Remote Code Execution Vulnerability in GitHub Actions Workflow

A remote code execution vulnerability has been identified in OWASP BLT versions prior to 2.1.1. The issue arises in the .github/workflows/regenerate-migrations.yml workflow, which uses the pull_request_target trigger. This workflow runs with full GITHUB_TOKEN write permissions and can be exploited by external contributors who open a pull request. The vulnerability allows for the execution of arbitrary code in a privileged CI environment, with access to GITHUB_TOKEN and repository secrets, potentially leading to repository compromise and supply chain attacks.

Impact

Exploitation of this vulnerability allows for remote code execution in the GitHub Actions runner, with the executed code running in a privileged environment. This access can be used to exfiltrate GITHUB_TOKEN and repository secrets, modify workflows, and inject malicious code into the CI pipeline, which could tamper with build artifacts and disrupt the integrity of the development process.

Reproduction

To reproduce this vulnerability, fork the OWASP BLT repository and add a payload to the website/models.py file. Then, open a pull request targeting the main branch and apply the regenerate-migrations label. This will trigger the vulnerable workflow, executing the payload in the CI environment.

Remediation

Users should update to OWASP BLT version 2.1.1, which addresses this vulnerability.