Coordinated Disclosure Timeline
- 2021-02-04: Issue reported to maintainers
- 2021-02-04: Issue fixed
Summary
The android-debug-artifact-ondemand.yml GitHub workflow is vulnerable to command injection.
Product
TeamAmaze/AmazeFileManager repository
Tested Version
The latest changeset of android-debug-artifact-ondemand.yml to the date.
Details
Issue: A branch name from pull request is used to format inline script
on:
...
issue_comment:
types: [created]
jobs:
apk:
runs-on: ubuntu-latest
if: github.event.comment.body == 'Build test apk' && github.actor == 'VishalNehra' || github.actor == 'TranceLove' || github.actor == 'EmmanuelMess'
steps:
...
- name: Get PR informations
id: pr_data
run: |
echo "::set-output name=branch::${{ fromJson(steps.request.outputs.data).head.ref }}"
A potentially untrusted branch name is used to format a shell script. As a safeguard, the workflow runs only if one of the three selected users comment on the pull request with “Build test apk”. However because of a mistake in the condition (logical AND operation has higher priority than logical OR) any comment by two of the three owners actually triggers the workflow.
Impact
If the owners are tricked to comment on an especially crafted pull request, it may lead to arbitrary script injection which enables un-authorized modification of the base repository and secrets exfiltration. For a PoC create a pull request from a forked repository with branch name ";echo${IFS}test;#.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-046 in any communication regarding this issue.