Google Project Zero (GPZ) has disclosed a serious vulnerability in GitHub’s Actions feature, after the version control platform drug its feet fixing it.
GPZ discovered an issue making GitHub Actions vulnerable to injection attacks. The vulnerability has been labeled ‘high-severity’ by GPZ. According to GPZ’s Felix Wilhelm, any project that relies heavily on Actions could be vulnerable.
The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.
I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.
To make matters worse, GitHub wasted the normal 90-day period GPZ normally gives organizations before disclosing a vulnerability. GitHub was initially notified of the vulnerability on July 21, with a disclosure date of October 18 set.
With no announced resolution, GPZ reached out to GitHub on October 12 and offered a 14-day grace period, which was accepted on October 16. A new disclosure date of November 2 was set. GPZ tried contacting GitHub on October 28, but received no response. On October 30, GPZ reached out to informal contacts, which indicated GitHub considered the issue fixed.
On November 1, GitHub officially reached out to request an additional 48 hours, not to fix the issue, but to notify users of a future date when the issue would be fixed. GPZ informed GitHub there was no further provision to extend the grace period and proceeded with the disclosure on November 2.
GitHub has provided an example of how not to handle a vulnerability. GPZ went above-and-beyond to communicate and work with GitHub, but it appears that GitHub squandered its opportunities to definitively address the issue.