The 'preview-manage.yml' GitHub workflow is vulnerable to arbitrary command injection.
DataBiosphere/terra-workspace-manager GitHub repository
An issue comment is used to format a bash script like:
on:
issue_comment:
types: [created]
...
- name: Construct version override JSON
id: versions-override
run: |
comment='${{ github.event.comment.body }}'
...
This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title preview-create'; echo "test" #
will print test
in the log.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-234
in any communication regarding this issue.