skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-182: Code injection in JonathanGin52/JonathanGin52 workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The ‘Connect4’ GitHub workflow is vulnerable to arbitrary code execution.


JonathanGin52 GitHub repository

Tested Version

connect4.yml from the Master branch.


Issue: The title of a public GitHub Issue is used to format Ruby code before it runs

When a user creates an Issue with a special title it automatically starts the connect4.yml GitHub workflow. The title of the public issue is used without sanitization to format Ruby code:

    - name: Play
      run: |
        ruby <<- EORUBY
          require './connect4/runner'

            github_token: '${{ secrets.GITHUB_TOKEN }}',
            issue_number: ENV.fetch('EVENT_ISSUE_NUMBER'),
            issue_title: '${{ github.event.issue.title }}',
            repository: ENV.fetch('REPOSITORY'),
            user: ENV.fetch('EVENT_USER_LOGIN'),


This vulnerability allows for arbitrary Ruby code execution. The injected code may exfiltrate the temporary GitHub repository authorization token from .git/config to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.
For a proof of concept create an issue with a title Iconnect4|' + raise('asdf') + '. Observe the thrown asdf exception in the action log.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-182 in any communication regarding this issue.