GitHub workflow in pythonpune/meetup-talks GitHub repository repository is vulnerable to arbitrary code execution from user comments.
pythonpune/meetup-talks GitHub repository repository
The latest changeset notifications.yml to the date.
on:
issue_comment:
types: [created]
issues:
types: [opened]
...
- name: comment
run: echo "${{ github.event.comment.body }}"
This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept comment on an issue with a"; exit 1
.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2021-013
in any communication regarding this issue.