February 3, 2021

GHSL-2020-234: Command injection in DataBiosphere/terra-workspace-manager workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 2020-11-23-2020-12-01: Report sent to various maintainers.
  • 2020-12-01: Report acknowledged.
  • 2020-12-07: Issue resolved.

Summary

The 'preview-manage.yml' GitHub workflow is vulnerable to arbitrary command injection.

Product

DataBiosphere/terra-workspace-manager GitHub repository

Tested Version

preview-manage.yml

Details

Issue: The body of issue comment is used to format a shell command

An issue comment is used to format a bash script like:

on:
  issue_comment:
    types: [created]
...
    - name: Construct version override JSON
      id: versions-override
      run: |
        comment='${{ github.event.comment.body }}'
...

Impact

This vulnerability allows for arbitrary command injection into the bash script that may allow exfiltration of the secret tokens to the attacker controlled server. For a proof a concept an issue comment with the following title preview-create'; echo "test" # will print test in the log.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-234 in any communication regarding this issue.