Coordinated Disclosure Timeline

Summary

The home-assistant/actions helpers/version workflow is vulnerable to a command injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.

Product

Home Assistant

Tested Version

de031f3

Details

Actions expression injection in helpers/version/action.yml (GHSL-2023-179)

The helpers/version workflow is using the raw github.head_ref value inside the publish step:

- shell: bash
   id: publish
   run: |
     ...
     elif [[ "${{ inputs.type }}" =~ (plugin|supervisor) ]]; then
       if [[ ! -z "${{ github.head_ref }}" ]]; then
     ...

In the event of a repository using home-assistant/actions/helpers/version in a pull_request_target-triggered workflow, an attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets.

name: Example

on: pull_request_target

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - name: Get version
        id: version
        uses: home-assistant/actions/helpers/version@v1.0.0

Impact

This issue may lead to stealing workflow secrets.

Resources

Credit

This issue was discovered and reported by GHSL team members @jorgectf (Jorge) and @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-179 in any communication regarding this issue.