skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 25, 2021

GHSL-2020-235: Arbitrary command injection in wayou/turn-issues-to-posts-action

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The turn-issues-to-posts action is vulnerable to arbitrary command injection.

Product

turn-issues-to-posts action

Tested Version

The latest changeset to the date.

Details

Issue: The title of an issue is used to format a shell command

The title of an issue is used to format a bash script like:

...
      run: |
        DATE="${{ inputs.created_at }}"
        mkdir -p ${{ inputs.dir }}
        cat <<'EOF' > _posts/"${DATE:0:10}-${{ github.event.issue.title }}".md
...

Impact

This vulnerability allows for arbitrary command injection into the bash script. As a consequence, attackers may be able to exfiltrate secret tokens. As a proof of concept, an issue with the following title a".md; echo "test" # will print test in the action log.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-235 in any communication regarding this issue.