skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
February 3, 2021

GHSL-2021-014: Command injection in benjamin-maynard/kubernetes-cloud-mysql-backup workflow

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

GitHub workflow in benjamin-maynard/kubernetes-cloud-mysql-backup GitHub repository repository is vulnerable to arbitrary code execution from user comments.

Product

benjamin-maynard/kubernetes-cloud-mysql-backup GitHub repository repository

Tested Version

The latest changeset run-pr-tests.yaml to the date.

Details

Issue: A comment body is used to format a shell command

on: 
  issue_comment:
    types: [created]
...
        run: |
          echo "Comment Creator: ${{ github.event.comment.user.login }}"
          echo "Comment Body: ${{ github.event.comment.body }}"
          exit 1

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept on a pull request with a"; exit 0.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-014 in any communication regarding this issue.