skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 24, 2021

GHSL-2021-048: Unauthorized repository modification or secrets exfiltration in several GitHub workflows of linebender

Jaroslav Lobacevski

Coordinated Disclosure Timeline


The bloat.yml GitHub workflow in linebender/druid, linebender/runebender and linebender/norad is vulnerable to unauthorized modification of the base repository or secrets exfiltration.


linebender/druid repository
linebender/runebender repository
linebender/norad repository

Tested Version

The latest version of bloat.yml to the date.


Issue: A specific comment triggers a potentially untrusted pull request build in a privileged environment

When a user comments on a pull request it triggers the following workflow, that checks out the pull request and builds the potentially untrusted code:

    types: [created, edited]
    # if it isn't an issue comment run every time, otherwise only run if the comment starts with '/bloat'
    if: (!startsWith(github.event_name, 'issue_comment') || startsWith(github.event.comment.body, '/bloat'))
      - name: build head
        if: steps.get_revs.outputs.base != steps.get_revs.outputs.head
        uses: actions-rs/cargo@v1
          command: build
          args: --release --examples


The triggered workflow has access to the write repository token and secrets. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2021-048 in any communication regarding this issue.