skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2021-011: Command injection in itpp-labs workflows

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

The DINAR-PORT.yml GitHub workflow in itpp-labs/misc-addons, itpp-labs/website-addons, itpp-labs/access-addons, itpp-labs/l10n-addons, itpp-labs/mail-addons, itpp-labs/pos-addons and itpp-labs/sync-addons repositories is vulnerable to arbitrary command injection.

Product

itpp-labs/misc-addons, itpp-labs/website-addons, itpp-labs/access-addons, itpp-labs/l10n-addons, itpp-labs/mail-addons, itpp-labs/pos-addons and itpp-labs/sync-addons repositories.

Tested Version

The latest version to the date.

Details

Issue: The issue title is used to format a shell command

An issue title is used to format a bash script:

on:
  issues:
    types:
      - opened
      - reopened
...
      - name: Analyze request
        run: |
          # sets environment variables that available in next steps via $ {{ env.PORT_... }} notation
          python DINAR/workflow-files/analyze_port_trigger.py "${{ github.event.issue.title }}"
...

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept create an issue with the following title DINAR-PORT "; echo "test"; #.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-011 in any communication regarding this issue.