According to a warning from a Japanese security researcher, a vulnerability in the GitHub Actions process for PyPI’s source repository might be abused to conduct a fraudulent pull request and finally execute arbitrary code on pypi.org.
RyotaK, a security researcher, revealed information on three vulnerabilities in PyPI on Friday, one of which might lead to the entire PyPI ecosystem being compromised.
Python Package Index (PyPI) is the Python programming language’s official third-party software repository, with some package managers adopting it as the default source for packages and dependencies.
The problem was caused by the combine-prs.yml workflow in pypa/warehouse, which was created to collect and merge pull requests with branch names that began with dependabot (Dependabot does not have a merge function).
Because the workflow did not validate the author of the pull request, anyone could make a pull request with a certain name and have it processed by the workflow. However, because the workflow mixes pull requests and the outcome is verified by a person, any harmful code will be discarded, code execution would be impossible.
The researcher uncovered a weakness in the code responsible for displaying branch listings of pull requests, which could be used to run commands and “leak GitHub Access Token with write permission against the pypa/warehouse repository.”
Because any code pushed to the main pypa/warehouse branch is automatically published to pypi.org, an attacker with write permission to the repository can run arbitrary code on the website.
To carry out a successful attack, a threat actor would need to fork the pypa/warehouse repository, create a branch named dependabot, add a modification to the branch and create a benign pull request, wait for combine-prs.yml to run, capture the leaked GitHub Access Token with write permissions, and then add a modification to the main branch to have it deployed to pypa.
An attack would be difficult to detect, as the PyPI security team points out, because the attacker may use a non-malicious pull request. As a result, even if a PyPI administrator examines the attacker’s pull request, it will be approved because it does not seek to exploit any vulnerability.
In October 2020, the repository was updated to include the vulnerable workflow. The security flaw was patched by the PyPI security team the same day RyotaK reported it last week.