GHSL-2020-231: Command injection in graphql-dotnet workflows

Coordinated Disclosure Timeline

• 2020-11-23: Report sent to maintainers.
• 2020-12-01: Maintainers acknowledged.
• 2020-12-01: Issue resolved.

Summary

The wipcheck.yml GitHub workflow in graphql-dotnet, server, parser and authorization repositories is vulnerable to arbitrary command injection.

Product

graphql-dotnet GitHub repositories

Tested Version

graphql-dotnet
server
parser
authorization

Details

Issue: The title of public GitHub pull request is used to format a shell command

A Pull Request title is used to format a bash script:

name: Check if PR title contains [WIP]

on:
  pull_request:
    types:
      - opened        # when PR is opened
      - edited        # when PR is edited
      - synchronize   # when code is added
      - reopened      # when a closed PR is reopened

jobs:
  check-title:
    runs-on: ubuntu-latest

    steps:
      - name: Fail build if pull request title contains [WIP]
        if: ${{ contains(github.event.pull_request.title, '[WIP]') }} # This function is case insensitive.
        run: |
          echo Warning! PR title "${{ github.event.pull_request.title }}" contains [WIP]. Remove [WIP] from the title when PR is ready.
          exit 1

Impact

This vulnerability allows for arbitrary command injection into the bash script. For a proof a concept a Pull Request with the following title title"; sleep 10 # will delay the action by ten seconds.

Workflows triggered by pull_request have limited repository token and no access to secrets. The attacker couldn’t do much except CI DoS attacks or running their own code in the context of the GitHub action runner.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-231 in any communication regarding this issue.