The comment.yml and output_comment.yml GitHub workflows are vulnerable to arbitrary command injection.
drewmullen/actions-playground GitHub repository
comment.yml and output_comment.yml GitHub workflows from the master branch.
When a user comments on a Pull Request with build
or echo
it automatically starts the comment.yml or output_comment.yml GitHub workflows. The comment text is used to format a bash script.
on:
issue_comment:
types: [created]
jobs:
build:
if: >
startsWith(github.event.comment.body, 'build')
&& startsWith(github.event.issue.pull_request.url, 'https://')
runs-on: ubuntu-latest
steps:
- name: print comment body
run: echo ${{ github.event.comment.body }}
- name: set body comments
run: |
set -eu
build_dir=$( cut -d ' ' -f 2 <<< '${{ github.event.comment.body }}' )
buckets=$( cut -d ' ' -f 3- <<< "${{ github.event.comment.body }}" )
...
and
on:
issue_comment:
types: [created]
jobs:
echo-chamber:
if: >
startsWith(github.event.comment.body, 'echo')
&& startsWith(github.event.issue.pull_request.url, 'https://')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
...
- name: set body comments
id: listen
run: |
set -eu
content=$( cut -d ' ' -f 2 <<< '${{ github.event.comment.body }}' )
The repository is vulnerable itself and demonstrates unsafe practices that allow for arbitrary command injection into a bash script. For a Proof of Concept comment with build; exit 1
.
This arbitrary command injection potentially allows exfiltration of secrets used by the build runner. To make the attack less visible the attacker may modify the comment later.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-194
in any communication regarding this issue.