- Apr 24, 2016
Read the full article here at Neowin:The vulnerability has been classified as a "high" severity issue by Google Project Zero. We'll spare you the nitty-gritty technical details - and you're free to view them in detail here if you want - but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. For those unaware, workflow commands act as a communication channel between executed actions and the Action Runner.
Felix Wilhelm, who discovered the security flaw via source code review, says that:
In his original post, Wilhelm went on to say that he's unsure how to fix the issue as the way workflow commands are implemented is "fundamentally insecure". A short-term solution would be to deprecate the command syntax, whereas a long-term fix would involve moving workflow commands to some out-of-bound channel, but that would also break other pieces of dependent code.The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.
I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.
Following the discovery of the security flaw on July 21, the Project Zero team naturally reached out to GitHub with information about the vulnerability, giving them the standard 90 days to resolve it - which would expire on October 18. At the start of this month, GitHub decided to deprecate vulnerable commands and sent out an advisory about a "moderate security vulnerability", asking users to update their workflows. On October 16, GitHub accepted Google's 14-day grace period to fully disable the commands, making November 2 the new deadline.
There has officially been radio silence from GitHub since October 28. Through informal channels, the Project Zero team learned that GitHub plans to request an additional 48 hours. However, this additional grace period is not to patch the issue, but to further notify customers and to determine a "hard date" to fix the vulnerability. As this is not in line with Project Zero's standard disclosure process, the flaw has been made public by the security team today with a proof-of-concept code made available as well.
Google's Project Zero team has disclosed a "high" severity security flaw in GitHub following the latter's inability to provide a fix in the 104 days - which includes a grace period - allotted to it.