GHSL-2020-229: Command injection in allenevans/set-env workflow

Coordinated Disclosure Timeline

• 2020-11-23: Report sent to maintainer
• 2020-11-24: Issue resolved

Summary

The ‘release.yml’ GitHub workflow is vulnerable to arbitrary command injection.

Product

allenevans/set-env GitHub repository

Tested Version

release.yml

Details

Issue: A commit comment is used to format a shell command

A commit comment is used to format a bash script in step Config:

on:
  push:
    branches:
      - 'master'
...
        run: |
          echo "Release triggered by ${{github.actor}}"
          echo "Commit ${{github.event.commits[0].message}}"
...

An attacker may put the payload in a commit description and make a valid pull request, that will be merged. It is likely that the reviewer will not notice it, especially if there are multiple commits in the single PR.

Impact

This vulnerability allows for arbitrary command injection into the bash script. The attacker may exfiltrate secret tokens to the attacker controlled server, can make arbitrary commit to the repository or subvert the release step directly, that in turn will affect all repositories that depend on the action.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-229 in any communication regarding this issue.