GHSL-2020-233: Command injection in ONSdigital workflows

Coordinated Disclosure Timeline

• 2020-11-23: Report sent to maintainers.
• 2020-12-07: Created a public issues asking for security contact.
• 2020-12-07: Maintainers acknowledged.
• 2020-12-07: Issue resolved.
• 2021-01-15: Updated report was sent.
• 2021-01-18: Issue resolved.

Summary

The ‘comment.yml’ and main.yml GitHub workflows are vulnerable to arbitrary command injection.

Product

ONSdigital/ras-frontstage GitHub repository
ONSdigital/sdc-uaa GitHub repository

Tested Version

comment.yml
main.yml

Details

Issue: The body of issue comment is used to format a shell command

An issue comment is used to format a bash script:

on:
  issue_comment:
    types: [created]
...
      - name: set namespace
        run: |
          echo NAMESPACE=$(echo ${{ github.event.comment.body }} | cut -d' ' -f2) >> $GITHUB_ENV
...

Impact

This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title /deploy); echo "test" # will print test in the log.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-233 in any communication regarding this issue.