Hi,
I have discovered command injection vulnerability in one of your Github repos.
Apologies for any inconvenience if this type of bug is not of interest to you. Allow me to explain the problem.
GitHub Actions, a powerful tool for automating workflows, can inadvertently introduce security vulnerabilities if not configured securely. Insecure GitHub Actions configuration can lead to various risks, including unauthorized access, data breaches, and code injection attacks.
Currently https://github.com/hyperledger/cacti/tree/HEAD/.github/workflows/test_weaver-pre-release.yaml#L28 allows attacker to inject arbitrary command and run it on the Github runner. Note the usage of double quotes and untrusted pull_request.name
.
U";cat $GITHUB_WORKSPACE/.git/config | xxd -p | base64; echo "D
titlecheck_release
workflow will be triggered$GITHUB_TOKEN
(by default Github will replace it with *** if you will try just echo it, that is why I used xxd + base64)Such scenario leaves possibility to access $GITHUB_TOKEN
environment variable, potentially compromising the whole GitHub organization.
Good explanation of the problem could be found at github docs: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
There are few limits to the attack:
$GITHUB_TOKEN
is a short lived token and for the real life attack, whole attack should be scripted until job is still running