skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-233: Command injection in ONSdigital workflows

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The ‘comment.yml’ and main.yml GitHub workflows are vulnerable to arbitrary command injection.

Product

ONSdigital/ras-frontstage GitHub repository
ONSdigital/sdc-uaa GitHub repository

Tested Version

comment.yml
main.yml

Details

Issue: The body of issue comment is used to format a shell command

An issue comment is used to format a bash script:

on:
  issue_comment:
    types: [created]
...
      - name: set namespace
        run: |
          echo NAMESPACE=$(echo ${{ github.event.comment.body }} | cut -d' ' -f2) >> $GITHUB_ENV
...

Impact

This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title /deploy); echo "test" # will print test in the log.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-233 in any communication regarding this issue.