Coordinated Disclosure Timeline
- 2021-01-18: Report sent to maintainers.
- 2021-01-18: Issue resolved.
Summary
The DINAR-PORT.yml GitHub workflow in itpp-labs/misc-addons, itpp-labs/website-addons, itpp-labs/access-addons, itpp-labs/l10n-addons, itpp-labs/mail-addons, itpp-labs/pos-addons and itpp-labs/sync-addons repositories is vulnerable to arbitrary command injection.
Product
itpp-labs/misc-addons, itpp-labs/website-addons, itpp-labs/access-addons, itpp-labs/l10n-addons, itpp-labs/mail-addons, itpp-labs/pos-addons and itpp-labs/sync-addons repositories.
Tested Version
The latest version to the date.
Details
Issue: The issue title is used to format a shell command
An issue title is used to format a bash script:
on:
issues:
types:
- opened
- reopened
...
- name: Analyze request
run: |
# sets environment variables that available in next steps via $ {{ env.PORT_... }} notation
python DINAR/workflow-files/analyze_port_trigger.py "${{ github.event.issue.title }}"
...
Impact
This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept create an issue with the following title DINAR-PORT "; echo "test"; #.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-011 in any communication regarding this issue.