skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-195: Arbitrary file write in dd-center/vdb workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The ‘Submit.yml’ GitHub workflow is vulnerable to arbitrary file write, that may lead to the repository being compromised.


dd-center/vdb GitHub repository

Tested Version

submit.yml from the master branch.


Issue: The body of a public GitHub issue is parsed and used to define the path and the content of file write operation

When a user creates a public issue it automatically starts the submit.yml GitHub workflow. The body of the issue is used without validation in the submitPr.js action.

    - name: Commit Branch
      run: node submitPr.js
        ISSUE_NUMBER: ${{ github.event.issue.number }}
        ISSUE_BODY: ${{ github.event.issue.body }}
        GITHUB_TOKEN: ${{ secrets.gtoken }}
  const block = ISSUE_BODY.split('-----END SUBMIT BLOCK-----')[0].split('-----BEGIN SUBMIT BLOCK-----')[1]
  if (block) {
    await decodeBase64(block)
      .map(command => command.split(':'))
      .map(([command, arg, extra = '']) => [command, decodeBase64(arg), decodeBase64(extra)])
      .map(([command, arg, content]) => async () => {
        const path = join('vtbs', arg)
        if (command === 'delete') {
          await unlink(path)
          console.log('delete', path)
        if (command === 'put') {
          await writeFile(path, content)
          console.log('put', path)


This vulnerability allows for arbitrary file overwrite, that may lead to the repository being compromised. For example an attacker may create an issue with a command to write into .git/config the attacker controlled proxy server address which will exfiltrate the temporary GitHub repository authorization token to the proxy server on the next git command in the same submitPr.js script. Although the token is not valid after the workflow finishes, the proxy may timeout the connection to give the malicious server time to modify the repository.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-195 in any communication regarding this issue.