[Security] Fix GraphQL query to get a collaborator's permission #301

0xn3va · 2023-12-10T19:46:26Z

I am terribly sorry for opening a public pull request with the fix for this vulnerability. I tried to reach out to you multiple times via X(Twitter), email from https://peterevans.dev/, and LinkedIn but didn't hear back from you. Plus, there is no security policy, so the only option left is opening a pull request.

The action uses the following GraphQL query to get the permissions of a user who triggered the action:

  async getActorPermission(repo: Repository, actor: string): Promise<string> {
    const query = `query CollaboratorPermission($owner: String!, $repo: String!, $collaborator: String) {
      repository(owner:$owner, name:$repo) {
        collaborators(query: $collaborator) {
          edges {
            permission
          }
        }
      }
    }`

The problem is that the $collaborator variable is passed to the query parameter which implements the fuzzy search. In other words, you can use an outside user with a username close to a maintainer username to bypass the permissions validation.

For example, the query above will return the ADMIN permission with the following variables:

owner: peter-evans
name: slash-command-dispatch
collaborator: eter-evans (note there is no the first letter p)

So, it means that an attacker can find users with required permissions in a target repository, create a user with a close name (like eter-evans), and bypass the permissions validation using that user.

To avoid this behaviour, the login parameter must be used instead of query.

peter-evans · 2023-12-10T21:22:41Z

Hi @0xn3va

Thank you for raising this PR! Apologies for missing your attempts to contact me about this. I vaguely recall seeing something, but I get a lot of random email and messages and sometimes it's not easy to figure out what is genuine and what is spam. Thank you for your effort to get this fixed, I do appreciate it.

I've released the fix as v3.0.2 / v3.

….2 (#164) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch) | action | patch | `v3.0.1` -> `v3.0.2` | --- ### Release Notes <details> <summary>peter-evans/slash-command-dispatch (peter-evans/slash-command-dispatch)</summary> ### [`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2): Slash Command Dispatch v3.0.2 [Compare Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2) #### What's Changed - fix: replace use of any type by [@peter-evans](https://togithub.com/peter-evans) in [https://github.com/peter-evans/slash-command-dispatch/pull/152](https://togithub.com/peter-evans/slash-command-dispatch/pull/152) - fixing link to `Get a pull request` by [@Borda](https://togithub.com/Borda) in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - Update getting-started.md due to changes in Github UI by [@martin-displayr](https://togithub.com/martin-displayr) in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - \[Security] Fix GraphQL query to get a collaborator's permission by [@0xn3va](https://togithub.com/0xn3va) in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) - 129 dependency updates by [@dependabot](https://togithub.com/dependabot) #### New Contributors - [@Borda](https://togithub.com/Borda) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - [@martin-displayr](https://togithub.com/martin-displayr) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - [@0xn3va](https://togithub.com/0xn3va) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) **Full Changelog**: peter-evans/slash-command-dispatch@v3.0.1...v3.0.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Hapag-Lloyd/dist-comm-vis).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

….2 (#9) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch) | action | patch | `v3.0.1` -> `v3.0.2` | --- ### Release Notes <details> <summary>peter-evans/slash-command-dispatch (peter-evans/slash-command-dispatch)</summary> ### [`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2): Slash Command Dispatch v3.0.2 [Compare Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2) #### What's Changed - fix: replace use of any type by [@peter-evans](https://togithub.com/peter-evans) in [https://github.com/peter-evans/slash-command-dispatch/pull/152](https://togithub.com/peter-evans/slash-command-dispatch/pull/152) - fixing link to `Get a pull request` by [@Borda](https://togithub.com/Borda) in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - Update getting-started.md due to changes in Github UI by [@martin-displayr](https://togithub.com/martin-displayr) in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - \[Security] Fix GraphQL query to get a collaborator's permission by [@0xn3va](https://togithub.com/0xn3va) in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) - 129 dependency updates by [@dependabot](https://togithub.com/dependabot) #### New Contributors - [@Borda](https://togithub.com/Borda) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - [@martin-displayr](https://togithub.com/martin-displayr) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - [@0xn3va](https://togithub.com/0xn3va) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) **Full Changelog**: peter-evans/slash-command-dispatch@v3.0.1...v3.0.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Hapag-Lloyd/.github).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

….2 (#59) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [peter-evans/slash-command-dispatch](https://togithub.com/peter-evans/slash-command-dispatch) | action | patch | `v3.0.1` -> `v3.0.2` | --- ### Release Notes <details> <summary>peter-evans/slash-command-dispatch (peter-evans/slash-command-dispatch)</summary> ### [`v3.0.2`](https://togithub.com/peter-evans/slash-command-dispatch/releases/tag/v3.0.2): Slash Command Dispatch v3.0.2 [Compare Source](https://togithub.com/peter-evans/slash-command-dispatch/compare/v3.0.1...v3.0.2) #### What's Changed - fix: replace use of any type by [@peter-evans](https://togithub.com/peter-evans) in [https://github.com/peter-evans/slash-command-dispatch/pull/152](https://togithub.com/peter-evans/slash-command-dispatch/pull/152) - fixing link to `Get a pull request` by [@Borda](https://togithub.com/Borda) in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - Update getting-started.md due to changes in Github UI by [@martin-displayr](https://togithub.com/martin-displayr) in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - \[Security] Fix GraphQL query to get a collaborator's permission by [@0xn3va](https://togithub.com/0xn3va) in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) - 129 dependency updates by [@dependabot](https://togithub.com/dependabot) #### New Contributors - [@Borda](https://togithub.com/Borda) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/270](https://togithub.com/peter-evans/slash-command-dispatch/pull/270) - [@martin-displayr](https://togithub.com/martin-displayr) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/289](https://togithub.com/peter-evans/slash-command-dispatch/pull/289) - [@0xn3va](https://togithub.com/0xn3va) made their first contribution in [https://github.com/peter-evans/slash-command-dispatch/pull/301](https://togithub.com/peter-evans/slash-command-dispatch/pull/301) **Full Changelog**: peter-evans/slash-command-dispatch@v3.0.1...v3.0.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Hapag-Lloyd/Renovate-Global-Configuration).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

frederikb · 2023-12-15T14:42:25Z

Just as a heads-up for anyone running into this error:

Error: Request failed due to following response errors:
 - Field 'collaborators' doesn't accept argument 'login'
 - Variable $collaborator is declared by CollaboratorPermission but not used

v3 of this action now requires GitHub Enterprise Server >= 3.9.

Earlier versions do not expose the login field on collaborators as confirmed by comparing the GraphQL schemas:

Fix the CollaboratorPermission GraphQL query

4e63ee0

peter-evans merged commit f996d7b into peter-evans:main Dec 10, 2023
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Fix GraphQL query to get a collaborator's permission #301

[Security] Fix GraphQL query to get a collaborator's permission #301

0xn3va commented Dec 10, 2023 •

edited

Loading

peter-evans commented Dec 10, 2023

frederikb commented Dec 15, 2023

[Security] Fix GraphQL query to get a collaborator's permission #301

[Security] Fix GraphQL query to get a collaborator's permission #301

Conversation

0xn3va commented Dec 10, 2023 • edited Loading

peter-evans commented Dec 10, 2023

frederikb commented Dec 15, 2023

0xn3va commented Dec 10, 2023 •

edited

Loading