Coordinated Disclosure Timeline
- 2020-11-23: Report sent to maintainer.
- 2020-12-09: Maintainer acknowledges.
- 2021-02-23: Email sent to the maintainer, no response.
- 2021-02-23: Disclosure deadline reached.
- 2021-03-25: Publication as per our disclosure policy.
Summary
The turn-issues-to-posts action is vulnerable to arbitrary command injection.
Product
Tested Version
The latest changeset to the date.
Details
Issue: The title of an issue is used to format a shell command
The title of an issue is used to format a bash script like:
...
run: |
DATE="${{ inputs.created_at }}"
mkdir -p ${{ inputs.dir }}
cat <<'EOF' > _posts/"${DATE:0:10}-${{ github.event.issue.title }}".md
...
Impact
This vulnerability allows for arbitrary command injection into the bash script. As a consequence, attackers may be able to exfiltrate secret tokens. As a proof of concept, an issue with the following title a".md; echo "test" # will print test in the action log.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-235 in any communication regarding this issue.