Back to GitHub.com
February 3, 2021

GHSL-2021-013: Command injection in pythonpune/meetup-talks workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline

  • 2021-01-18-2021-01-21: Report sent to various maintainers.
  • 2021-01-22: Maintainers acknowledged.
  • 2021-01-22: Issue resolved.

Summary

GitHub workflow in pythonpune/meetup-talks GitHub repository repository is vulnerable to arbitrary code execution from user comments.

Product

pythonpune/meetup-talks GitHub repository repository

Tested Version

The latest changeset notifications.yml to the date.

Details

Issue: A comment body is used to format a shell command

on:
  issue_comment:
    types: [created]
  issues:
    types: [opened]
...
      - name: comment
        run: echo "${{ github.event.comment.body }}"

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept comment on an issue with a"; exit 1.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-013 in any communication regarding this issue.