skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
June 27, 2023

GHSL-2023-050: Command Injection in Apache Doris repository's CI workflow

Jorge Rosillo

Coordinated Disclosure Timeline


Apache Doris repository is vulnerable to a Command Injection in auto_trigger_teamcity.yml.


Apache Doris

Tested Version



Actions command injection in auto_trigger_teamcity.yml (GHSL-2023-050)

The auto_trigger_teamcity.yml workflow is triggered on issue_comment (i.e., when a when a comment inside an Issue is created or updated). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow runs the following step with data controlled by said comment (${{ github.event.comment.body }} – the full contents of the comment), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing any used secret) and altering the repository.

  if: contains(github.event.comment.body, 'buildall') && contains(github.event.comment.body, 'run') && !contains(github.event.comment.body, 'Thanks for your contribution')
  runs-on: ubuntu-latest
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Run pipeline by restful
      run: |
        comment="${{ github.event.comment.body }}"

Proof of Concept

  1. Create an Issue in apache/doris (the title is unrelated).
  2. Comment the following in the created Issue: buildall run"; echo "This could be a command to exfiltrate GITHUB_TOKEN";# (without backticks)
  3. Check the workflow runs for the new Actions run that will execute the command echo "This could be a command to exfiltrate GITHUB_TOKEN".


This issue may lead to stealing workflow secrets and modification of the repository.



This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2023-050 in any communication regarding this issue.