skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-242: Command injection in telegramdesktop/tdesktop workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The ‘user_agent_updater.yml’ GitHub workflow is vulnerable to arbitrary command injection.


telegramdesktop/tdesktop GitHub repository

Tested Version

The latest changeset 1a2afda to the date.


Issue: The forked branch name is used to format a shell command

When a PR is closed it automatically starts the GitHub workflow. The forked branch name is used to format a bash script.

    types: [closed]
      - name: Delete branch.
        if: |
          env.isPull == '1'
            && github.event.action == 'closed'
            && startsWith(github.head_ref, env.headBranchPrefix)
        run: |
          git push origin --delete ${{ github.head_ref }}

An attacker can fork the repository, create a specially crafted branch name, make any commit, open a pull request and immediately close it to trigger the workflow. This vulnerability allows for arbitrary command injection into the bash script. For a Proof of Concept create a PR from branch named chrome_`echo${IFS}"abc"`.


The injection allows for exfiltration of secrets and the temporary GitHub repository authorization token to the attacker controlled server. Although the token is not valid after the workflow finishes, since the attacker controls the execution of the workflow he or she can delay it to give the malicious server time to modify the repository.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-242 in any communication regarding this issue.