CVE-2021-21423: Rebuild-bot workflow may allow unauthorised repository modifications
(updated )
projen
is a project generation tool that synthesizes project configuration files such as package.json
, tsconfig.json
, .gitignore
, GitHub Workflows, eslint
, jest
, and more, from a well-typed definition written in JavaScript. Users of projen’s NodeProject
project type (including any project type derived from it) include a .github/workflows/rebuild-bot.yml
workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the “main” repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the “main” repository.
The rebuild-bot workflow is triggered by comments including @projen rebuild
on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an issue_comment
event, and thus always executes with a GITHUB_TOKEN
belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by pull_request
events, which always execute with a GITHUB_TOKEN
belonging to the repository from which the pull-request is made).
Repositories that do not have branch protection configured on their default branch (typically main
or master
) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed GITHUB_TOKEN
would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch.
References
- github.com/advisories/GHSA-gg2g-m5wc-vccq
- github.com/projen/projen
- github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643
- github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq
- github.com/pypa/advisory-database/tree/main/vulns/projen/PYSEC-2021-111.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-21423
- www.npmjs.com/package/projen
Detect and mitigate CVE-2021-21423 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →