February 3, 2021
GHSL-2020-234: Command injection in DataBiosphere/terra-workspace-manager workflow
Jaroslav LobačevskiCoordinated Disclosure Timeline
- 2020-11-23-2020-12-01: Report sent to various maintainers.
- 2020-12-01: Report acknowledged.
- 2020-12-07: Issue resolved.
Summary
The 'preview-manage.yml' GitHub workflow is vulnerable to arbitrary command injection.
Product
DataBiosphere/terra-workspace-manager GitHub repository
Tested Version
Details
Issue: The body of issue comment is used to format a shell command
An issue comment is used to format a bash script like:
on:
issue_comment:
types: [created]
...
- name: Construct version override JSON
id: versions-override
run: |
comment='${{ github.event.comment.body }}'
...Impact
This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title preview-create'; echo "test" # will print test in the log.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-234 in any communication regarding this issue.