Security researchers have recently unearthed a supply-chain vulnerability within Bazel, one of Google’s flagship open-source products.
The flaw centered around a command injection vulnerability in a dependent GitHub Actions workflow, potentially allowing malicious actors to insert harmful code into Bazel’s codebase.
According to Cycode researchers, the gravity of this situation means it could affect millions of projects and users on various platforms, including Kubernetes, Angular, Uber, LinkedIn, Databricks, Dropbox, Nvidia and Google itself.
From a technical standpoint, the discovery focused on GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform.
GitHub Actions allow users to automate build, test and deployment processes through customizable workflows. However, using Custom Actions, which function as individual workflow tasks, introduces complexities and potential security risks.
In an advisory published earlier today, Cycode emphasized that the extensive dependencies in workflows, often utilizing third-party actions, pose challenges for securing the software supply chain.
The company’s research zooms in on the vulnerabilities within indirect dependencies, such as Custom Actions, which may reside in different repositories, ecosystems and under diverse maintainers. The article discusses the risk introduced by Custom Actions within the GitHub Actions ecosystem, particularly Composite Actions, which combine multiple workflow steps in one action.
The advisory also dives into the specifics of the discovered vulnerability within Bazel’s GitHub Actions workflow, detailing the steps from triggering the workflow to the injection point. A key concern is the ability to inject and execute arbitrary commands due to a lack of proper input validation in Composite Actions.
Promptly reporting the vulnerability through Google’s Vulnerability Reward Program on November 1 2023, the Cycode research team received acknowledgment days later. Google then addressed and rectified the vulnerable components within Bazel by December 5.
The necessary fixes, including updates to workflow base permissions and modifications to the dependent action, were implemented, eliminating the command injection vulnerability.
Image credit: CHERRY.JUICE / Shutterstock.com