Skim Arbitrary Code Execution Vulnerability via Forked Pull Request Checkout

A vulnerability in the Skim fuzzy finder allows for arbitrary code execution. The issue arises in the GitHub Actions workflow file '.github/workflows/pr.yml', where the 'generate-files' job checks out code from attacker-controlled forks and executes it using 'cargo run'. This process is performed with access to sensitive secrets, including 'SKIM_RS_BOT_PRIVATE_KEY' and 'GITHUB_TOKEN' (with write permissions). The vulnerability can be exploited by any GitHub user who opens a pull request from a fork, as there are no safeguards in place to prevent such actions.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the GitHub Actions runner. The executed code can access GitHub secrets, including the application installation token, which could be exfiltrated to an external server. This token could then be used to push malicious code to the repository or publish a compromised crate to crates.io, affecting other projects that depend on it.

Reproduction

To reproduce this vulnerability, fork the Skim repository and modify the code in 'src/bin/main.rs' or add a 'build.rs' file to exfiltrate the GitHub App installation token from the Git credentials file. Then, open a pull request from the forked repository. The 'generate-files' job in the GitHub Actions workflow will automatically execute the modified code, allowing for the token exfiltration.

Remediation

The vulnerability has been fixed in commit bf63404ad51985b00ed304690ba9d477860a5a75 by removing the dangerous pull request action from the workflow.