skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
October 5, 2023

GHSL-2023-100: Command Injection in a GitHub Actions workflow of Apache Ignite

Jorge Rosillo

Coordinated Disclosure Timeline


The apache/ignite repository is vulnerable to a command injection in Actions, allowing an attacker to leak secrets.


Apache Ignite

Tested Version



Actions command injection in sonar-pr-from-fork.yml (GHSL-2023-100)

The sonar-pr-from-fork.yml workflow is triggered on pull_request_target (i.e., when a Pull Request against the base repository is created or updated), which also covers the case when a Pull Request originates from a fork.

Taking the above into account, this workflow runs the following step with data controlled by said fork (${{ github.head_ref }} – the name of the fork’s branch), allowing an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN, SONARCLOUD_TOKEN).

- name: Sonar Analyze Upload
  run: >
    ./mvnw org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
    -P all-java,lgpl,examples,skip-docs
    -Dsonar.pullrequest.branch=${{ github.head_ref }}
    -Dsonar.pullrequest.base=${{ github.base_ref }}
    -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
    -B -V
    MAVEN_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    SONAR_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    JAVA_OPTS: "-XX:+UseG1GC -XX:InitialHeapSize=2g -XX:MaxHeapSize=6g -XX:+UseStringDeduplication"
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Proof of Concept

  1. Fork the apache/ignite repository, whose name we will refer as username/ignite-fork.
  2. Create a branch in username/ignite-fork with the name master;echo${IFS}"hello";#.
  3. Push any change to the former branch.
  4. Create a pull request from username/ignite-fork:master;echo${IFS}"hello";# to apache/ignite:master.
  5. Check the workflow runs for the new Actions run that will execute the command echo "hello".


This issue may lead to stealing workflow secrets.



This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2023-100 in any communication regarding this issue.