Coordinated Disclosure Timeline
- 2021-02-04: Issue reported to maintainers
- 2021-02-04: Report acknowledged
- 2021-02-23: Issue fixed
The latest version of
bloat.yml to the date.
Issue: A specific comment triggers a potentially untrusted pull request build in a privileged environment
When a user comments on a pull request it triggers the following workflow, that checks out the pull request and builds the potentially untrusted code:
on: issue_comment: types: [created, edited] ... # if it isn't an issue comment run every time, otherwise only run if the comment starts with '/bloat' if: (!startsWith(github.event_name, 'issue_comment') || startsWith(github.event.comment.body, '/bloat')) steps: ... - name: build head if: steps.get_revs.outputs.base != steps.get_revs.outputs.head uses: actions-rs/cargo@v1 with: command: build args: --release --examples
The triggered workflow has access to the write repository token and secrets. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-048 in any communication regarding this issue.