skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 1, 2021

GHSL-2021-046: Command injection in a GitHub workflow of AmazeFileManager

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The android-debug-artifact-ondemand.yml GitHub workflow is vulnerable to command injection.


TeamAmaze/AmazeFileManager repository

Tested Version

The latest changeset of android-debug-artifact-ondemand.yml to the date.


Issue: A branch name from pull request is used to format inline script

    types: [created]

    runs-on: ubuntu-latest
    if: github.event.comment.body == 'Build test apk' && == 'VishalNehra' || == 'TranceLove' || == 'EmmanuelMess'
      - name: Get PR informations
        id: pr_data
        run: |
          echo "::set-output name=branch::${{ fromJson( }}"

A potentially untrusted branch name is used to format a shell script. As a safeguard, the workflow runs only if one of the three selected users comment on the pull request with “Build test apk”. However because of a mistake in the condition (logical AND operation has higher priority than logical OR) any comment by two of the three owners actually triggers the workflow.


If the owners are tricked to comment on an especially crafted pull request, it may lead to arbitrary script injection which enables un-authorized modification of the base repository and secrets exfiltration. For a PoC create a pull request from a forked repository with branch name ";echo${IFS}test;#.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2021-046 in any communication regarding this issue.