CVE-2024-42482
📋 TL;DR
CVE-2024-42482 is a command injection vulnerability in the fish-shop/syntax-check GitHub Action that allows attackers to execute arbitrary commands on workflow runners by manipulating the 'pattern' input. This affects users of this GitHub Action in their CI/CD pipelines. The vulnerability could lead to exposure of sensitive information like environment variables, secrets, or repository contents.
💻 Affected Systems
- fish-shop/syntax-check GitHub Action
📦 What is this software?
Syntax Check by Fish Shop
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub Actions runner environment, exfiltration of all secrets and environment variables, persistence in the CI/CD pipeline, and lateral movement to connected systems.
Likely Case
Exfiltration of repository secrets and environment variables to attacker-controlled servers, potentially exposing API keys, tokens, and sensitive configuration data.
If Mitigated
Limited impact if the 'pattern' input is hardcoded or strictly controlled, with no exposure of sensitive data.
🎯 Exploit Status
Exploitation requires ability to modify GitHub workflow inputs or trigger workflows with malicious input. The vulnerability is straightforward to exploit once an attacker gains workflow modification privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.6.12 or v2.0.0
Vendor Advisory: https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2
Restart Required: No
Instructions:
1. Update your GitHub workflow YAML file to use 'fish-shop/syntax-check@v1.6.12' or 'fish-shop/syntax-check@v2.0.0'. 2. Commit and push the changes to trigger workflows with the patched version.
🔧 Temporary Workarounds
Input Validation Workaround
allStrictly validate and sanitize the 'pattern' input before passing it to the syntax-check action
# In your GitHub workflow YAML, add input validation:
# Ensure pattern only contains safe characters
# Example: validate pattern doesn't contain ; ( ) $ ` \ " '
Hardcode Pattern Values
allAvoid using dynamic or user-controlled inputs for the pattern parameter
# Instead of:
# pattern: ${{ inputs.user_pattern }}
# Use:
# pattern: '**/*.fish' # Hardcoded safe value
🧯 If You Can't Patch
- Remove or disable the syntax-check action from workflows until patching is possible
- Implement strict input validation and review all workflow triggers to ensure only trusted sources can modify pattern inputs
🔍 How to Verify
Check if Vulnerable:
Check your GitHub workflow YAML files for uses of 'fish-shop/syntax-check' with version tags earlier than v1.6.12 or without version pinningCheck Version:
grep -r 'fish-shop/syntax-check' .github/workflows/ || find . -name '*.yml' -o -name '*.yaml' -exec grep -l 'fish-shop/syntax-check' {} \;Verify Fix Applied:
Verify workflow YAML files now reference 'fish-shop/syntax-check@v1.6.12' or 'fish-shop/syntax-check@v2.0.0'📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution in GitHub Actions logs
- Pattern inputs containing shell metacharacters (;, (, ), $, `)
- Network connections from Actions runners to unexpected external domains
Network Indicators:
- Outbound connections from GitHub Actions runners to unknown or suspicious domains during syntax-check execution
SIEM Query:
source="github-actions" AND ("syntax-check" OR "fish-shop") AND (command_execution OR shell_metacharacters OR unexpected_network)