You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've identified a critical security vulnerability within the GitHub Action due to the handling of the "ADDITIONAL_PARAMETERS" input. The issue arises from the use of eval to process this input, which can allow for the execution of arbitrary commands. This misuse of eval poses a significant security risk, as it could potentially be exploited to bypass CI controls or expose sensitive information, such as the GITHUB_TOKEN.
The expected behavior would be for the GitHub Action to securely handle input parameters without executing them as code. Ideally, inputs should be sanitized or validated to ensure that they cannot be used to inject malicious code.
Actual behavior
The actual behavior is that the "ADDITIONAL_PARAMETERS" input is processed with eval, allowing for the injection of arbitrary commands. For example, injecting "); exit 0; # can terminate the script prematurely, and similarly, "); echo $GITHUB_TOKEN; # could potentially expose the GitHub token or other sensitive environment variables.
Steps to reproduce
To reproduce the vulnerability, you can follow these steps:
Configure the GitHub Action in a workflow.
In the action's inputs, supply an "ADDITIONAL_PARAMETERS" value that includes malicious code, such as "); exit 0; #.
Execute the workflow.
Observe that the injected command is executed, demonstrating the vulnerability.
Additional comments
This vulnerability exposes projects to significant risks, including unauthorized access to sensitive information or manipulation of the CI/CD process. It is crucial to address this issue to maintain the security integrity of projects using this GitHub Action.
Logs
Due to the nature of this report, providing specific logs might inadvertently expose sensitive information. However, the behavior can be verified by following the reproduction steps provided above with a test command designed to demonstrate the arbitrary command execution.
The text was updated successfully, but these errors were encountered:
Describe the "bug"
I've identified a critical security vulnerability within the GitHub Action due to the handling of the "ADDITIONAL_PARAMETERS" input. The issue arises from the use of
eval
to process this input, which can allow for the execution of arbitrary commands. This misuse ofeval
poses a significant security risk, as it could potentially be exploited to bypass CI controls or expose sensitive information, such as theGITHUB_TOKEN
.ast-github-action/entrypoint.sh
Line 5 in 75a1d77
Expected behavior
The expected behavior would be for the GitHub Action to securely handle input parameters without executing them as code. Ideally, inputs should be sanitized or validated to ensure that they cannot be used to inject malicious code.
Actual behavior
The actual behavior is that the "ADDITIONAL_PARAMETERS" input is processed with
eval
, allowing for the injection of arbitrary commands. For example, injecting"); exit 0; #
can terminate the script prematurely, and similarly,"); echo $GITHUB_TOKEN; #
could potentially expose the GitHub token or other sensitive environment variables.Steps to reproduce
To reproduce the vulnerability, you can follow these steps:
"); exit 0; #
.Additional comments
This vulnerability exposes projects to significant risks, including unauthorized access to sensitive information or manipulation of the CI/CD process. It is crucial to address this issue to maintain the security integrity of projects using this GitHub Action.
Logs
Due to the nature of this report, providing specific logs might inadvertently expose sensitive information. However, the behavior can be verified by following the reproduction steps provided above with a test command designed to demonstrate the arbitrary command execution.
The text was updated successfully, but these errors were encountered: