GHSL-2021-046: Command injection in a GitHub workflow of AmazeFileManager

Coordinated Disclosure Timeline

• 2021-02-04: Issue reported to maintainers
• 2021-02-04: Issue fixed

Summary

The android-debug-artifact-ondemand.yml GitHub workflow is vulnerable to command injection.

Product

TeamAmaze/AmazeFileManager repository

Tested Version

The latest changeset of android-debug-artifact-ondemand.yml to the date.

Details

Issue: A branch name from pull request is used to format inline script

on:
...
  issue_comment:
    types: [created]

jobs:
  apk:
    runs-on: ubuntu-latest
    if: github.event.comment.body == 'Build test apk' && github.actor == 'VishalNehra' || github.actor == 'TranceLove' || github.actor == 'EmmanuelMess'
    steps:
...
      - name: Get PR informations
        id: pr_data
        run: |
          echo "::set-output name=branch::${{ fromJson(steps.request.outputs.data).head.ref }}"

A potentially untrusted branch name is used to format a shell script. As a safeguard, the workflow runs only if one of the three selected users comment on the pull request with “Build test apk”. However because of a mistake in the condition (logical AND operation has higher priority than logical OR) any comment by two of the three owners actually triggers the workflow.

Impact

If the owners are tricked to comment on an especially crafted pull request, it may lead to arbitrary script injection which enables un-authorized modification of the base repository and secrets exfiltration. For a PoC create a pull request from a forked repository with branch name ";echo${IFS}test;#.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-046 in any communication regarding this issue.