The team behind Google’s Project Zero has uncovered a security vulnerability on GitHub. Project Zero detects weaknesses and errors in Google’s own software as well as in software developed by other companies. If weak points have been identified, the security team forwards them directly to the provider. Afterwards, those affected have 90 days to correct the errors before they are disclosed to the public.

The vulnerability found classifies Project Zero as high. The core of the problem is that the workflow commands, which serve as a communication channel between the executed actions and the Action Runner, are extremely vulnerable to injection attacks in GitHub Actions. With this approach, attackers pass untrustworthy content to a program, which can change and disrupt the system.

No quick solution to the problem The finder of the security hole, Felix Wilhelm, describes his discovery as follows: Since the runner process parses every line of stdout (standard data streams) in search of workflow commands, every GitHub action is susceptible to the untrustworthy content in its context Execution outputs. In most cases, the ability to set arbitrary environment variables will result in remote code execution whenever another workflow is running. Remote Code Execution describes the ability of an attacker to remotely access computers and end devices and execute changes through and / or software. Wilhelm has spent some time looking at any GitHub repository, and almost every project with more complex GitHub actions is prone to this class of errors.

A quick fix he does not see the problem as the way in which workflow commands are implemented are fundamentally insecure. A short-term solution would be to discard the command syntax, whereas a long-term solution would be to move workflow commands to a channel outside of the output channel, but this would also affect other parts of the dependent code.

The 90 days are at According to the timeline in the “Issue 2070 “of Project Zero this vulnerability was already on 21. July 2020 discovered. Typically, the project allows the vendor 90 days to fix the bug before it is revealed to the public. The deadline for GitHub therefore ended on 18. October.

The software hoster’s efforts to fix the security gap apparently did not comply with the standard Project Zero disclosure procedure, so the security team came up with the vulnerability and a proof-of-concept provided Code now comes to the public. Further information can be found in the article by Project Zero.

(mdo)