Summary
The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout.
This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.
Steps to Reproduce:
- Fork the target repository.
- In the forked repository, modify a file that satisfies the
paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow.
- Modify the
bin/console file (which is executed in the workflow steps) with the following malicious payload:
#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami
- Commit the changes and open a Pull Request against the
5.0 or next branch of the base repository.
- The
Static Tests workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the Validate YAML (or any step executing bin/console).
- You will see the output of
whoami (typically runner), proving that the arbitrary code was successfully executed in the runner's context.
Impact:
Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.
Recommended Mitigation:
Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed.
Consider adopting a separated architecture using the workflow_run event:
- Use the
pull_request event to safely run the build/tests in an unprivileged sandbox and upload artifacts.
- Use the
workflow_run event (which is privileged) to download the artifacts and perform actions requiring secrets.
References
smiotani-aeyesec Finder
Summary
The GitHub Actions workflow (
.github/workflows/static.yml) uses thepull_request_targettrigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout.This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.
Steps to Reproduce:
pathscondition (e.g.,src/dummy.phporcomposer.json) to trigger the workflow.bin/consolefile (which is executed in the workflow steps) with the following malicious payload:5.0ornextbranch of the base repository.Static Testsworkflow will trigger automatically. Navigate to the Actions tab and inspect the logs for theValidate YAML(or any step executingbin/console).whoami(typicallyrunner), proving that the arbitrary code was successfully executed in the runner's context.Impact:
Because
pull_request_targetruns in the context of the base repository, the runner has access to repository secrets (e.g.,PIMCORE_SECRET,PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.Recommended Mitigation:
Do not checkout untrusted PR code (
head.ref) when usingpull_request_targetif the code will be built or executed.Consider adopting a separated architecture using the
workflow_runevent:pull_requestevent to safely run the build/tests in an unprivileged sandbox and upload artifacts.workflow_runevent (which is privileged) to download the artifacts and perform actions requiring secrets.References