skip to content
Back to
Home Bounties Research Advisories Get Involved Events
March 25, 2021

GHSL-2020-235: Arbitrary command injection in wayou/turn-issues-to-posts-action

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The turn-issues-to-posts action is vulnerable to arbitrary command injection.


turn-issues-to-posts action

Tested Version

The latest changeset to the date.


Issue: The title of an issue is used to format a shell command

The title of an issue is used to format a bash script like:

      run: |
        DATE="${{ inputs.created_at }}"
        mkdir -p ${{ inputs.dir }}
        cat <<'EOF' > _posts/"${DATE:0:10}-${{ github.event.issue.title }}".md


This vulnerability allows for arbitrary command injection into the bash script. As a consequence, attackers may be able to exfiltrate secret tokens. As a proof of concept, an issue with the following title a".md; echo "test" # will print test in the action log.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-235 in any communication regarding this issue.