skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-232: Command injection in wireapp/wire-webapp workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline


The ‘test_build_deploy.yml’ GitHub workflow is vulnerable to arbitrary command injection.


wireapp/wire-webapp GitHub repository

Tested Version



Issue: The title of public GitHub pull request and last commit message are used to format a shell command

A Pull Request title is used to format a bash script:

    branches: [master, dev, edge, avs]
      - name: Set environment variables
        run: |
          echo "PR_LAST_COMMIT_MESSAGE=$(git log --format=%B -n 1 ${{github.event.after}} | head -n 1)" >> $GITHUB_ENV

      - name: Set TITLE
        run: echo "TITLE=${{github.event.pull_request.title || env.PR_LAST_COMMIT_MESSAGE}}" >> $GITHUB_ENV


This vulnerability allows for arbitrary command injection into the bash script. For a proof a concept a Pull Request with the following title title"; sleep 10 # will delay the action by ten seconds.

Workflows triggered by pull_request have limited repository token and no access to secrets. The attacker couldn’t do much except CI DoS attacks or running their own code in the context of the GitHub action runner.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-232 in any communication regarding this issue.